The single sign-on specs created by Microsoft and Sun 
may help users in the future. But some can’t wait. PAGE 4 
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Security Tools Tapped 
For Compliance Projects 


Users link devices for capturing info about 


IT security incidents to corporate servers 





BY JAIKUMAR VIJAYAN 
Security event and informa- 
tion management appliances 
that were originally designed 
to help IT managers identify 
and deal with network threats 
are now finding new uses as 
regulatory compliance report- 
ing tools within a growing 
number of companies. 
The trend is being 
driven by the ability of 
such products to cap- 
ture and correlate the 
torrents of log data gen- 
erated by security de- 
vices, networking equip- 
ment, and database and 
application servers, IT 


| managers and analysts said 
| last week. 


“A large percentage of the 


| customers we’re speaking 

| with originally purchased 

| these tools for aggregating and 
| correlating security data,” said 
| Amrit Williams, an analyst at 

| Gartner Inc. “Now they’re 

| telling us that they’re using 


ara 


The SEC reduces 
the IT controls 
that must be 
tested for Sarb- 


[the devices] for regu- 
latory compliance.” 

For example, Calpine 
Corp., a San Jose-based 
power producer, pur- 
chased a security event 
management appliance 
from Network Intelli- 

Compliance, page 14 


EMC’s Midrange Disk Arra 
Cannibalize Symmetrix Sales 


BY LUCAS MEARIAN | 
NEW ORLEANS 
Sales of EMC Corp.’s Clariion | 
midrange storage systems are | 
skyrocketing — but the com- 
pany acknowledged last week 
that some of the growth is 
coming at the expense of the 
Symmetrix arrays that were | 
once its bread and butter. 

Users at the EMC Technolo- ! 


gy Summit here said the ven- 
dor continues to bolster the 
Clariion line with high-end 
functionality once reserved 
for Symmetrix, such as data 
mirroring, snapshot copying 
and dynamic provisioning. 
“They've added feature 
functionality and performance 
to make [Clariion] what the 
EMC, page 12 
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Sears Ends IT Pact; 
CSC Seeks Payment 


Retailer says outsourcer breached contract; 
CSC claims that Sears schemed to avoid fees 


BY CAROL SLIWA 
Sears, Roebuck and Co. end- 
ed its 10-year, $1.6 billion IT 
outsourcing agreement with 
Computer Sciences Corp. af- 
ter just 11 months. But the 
companies now face arbitra- 
tion on a prickly dispute over | 
the grounds of the cancella- | 
tion and whether Sears has to | 
pay termination fees to CSC. 
At stake, according to mo- | 
tions that CSC filed April 25 


with the U.S. Court of Ap- 


| peals in Chicago, is roughly 

| $96 million in termination 

| fees. CSC claims that is the 

| amount Sears should have to 
| pay to end the contract. 


Sears said in a May ILI filing 
with the U.S. Securities and 
Exchange Commission that it 
had cause to pull out of the 


| contract, citing CSC’s “failure | 


to perform certain of its 


| . e 2 . 
| obligations.” The retailer 


| added that it expects to incur 


no “material” penalties as a 
result of the termination. 

But in its own SEC filing 
last week, CSC countered that 
Sears’ attempt to end the con- 
tract for cause was “contrived 
to avoid or reduce” the termi- 
nation fees that the outsourc- 


| ing vendor says it is owed. 


Sears-CSC, page 55 
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The looming increase in job turnover and retirements means that succession 
planning for key IT players is nowa necessity, reports Thomas Hoffman. Page 39 
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Single sign-on specs created 
by Microsoft and Sun may help 
users in the future. But some 
need the technology now. 


The SEC issues new Sarbanes- 
Oxley guidelines that reduce 
the number of IT controls 
companies must assess. 


Pfizer intends to consolidate 
more than 30 document man- 
agement systems and stan- 
dardize on XML to meet fed- 
eral regulations. 


IBM plans to release a data- 
base for configuration man- 
agement, but other vendors 
claim it’s not the first to take a 
federated approach. 


Cybersecurity standards pro- 
posed for the utility industry 
are flawed, say conference 
attendees. 


SAP announces that 10 tech- 
nology providers have licensed 
its its ESA middleware. 


Bank insiders were involved 
in a massive theft of account 
data over four years, New Jer- 
sey police allege. 


Global Dispatches: Fujitsu 
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Japan; and Sabre agrees to buy 
a U.K. online travel agency. 


EMC will ship its storage vir- 
tualization technology late, 
but users are willing to wait. 
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health agency after it awards 
a contract to a rival vendor. 
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— don’t happen by accident. Here’s how 
our Premier 100 IT leaders get vendors to 
notch up their performance. Page 42 
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else’s canceled checks in his 
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look at the systems that al- 
lowed such a privacy breach. 
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SECURITY: The release of two variants of 
the Sober worm prompts columnist Douglas 
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Texas County Sues 
SAP and Siemens 


Collin County, Texas, filed a !aw- 
suit against units of SAP AG and 
Siemens AG, charging fraud, 
breach of contract and negligent 
misrepresentation. The county is 
seeking almost $16 million in 
damages. The suit was filed after 
the companies failed to complete 
work on an ERP system slated to 
be finished in October. SAP and 
Siemens have filed motions to 
dismiss the lawsuit. 


Waitt Resigns as 
Gateway Chairman 


Gateway Inc. founder and Chair- 
man Ted Waitt has resigned from 
the PC company, passing his ba- 
ton to longtime board member 
Richard Snyder. Waitt, Gateway’s 
chairman for 20 years, said he is 
leaving to concentrate on his oth- 
er businesses and to do philan- 
thropic work. Snyder has been a 
director at the Irvine, Calif.-based 
company since 1991 and was 
president and chief operating 
officer in the mid-1990s. 


Broadcom Brings 
Suit on Qualcomm 


Communications chip vendor 
Broadcom Corp. has sued Qual- 
comm Inc., seeking to halt the 
manufacture and sale of key Qual- 
comm chips. Two suits, filed in 
the U.S. District Court in Califor- 
nia, allege that Qualcomm has 
infringed a total of 10 Broadcom 
patents. Broadcom has also filed 
a complaint with the International 
Trade Commission. 


Google Updates 
Desktop Search 


Google Inc. has released a desk- 
top search tool tailored for the 
workplace. The new tool, called 
Google Desktop Search for the 
Enterprise, has a series of instal- 
lation, distribution, management 
and security features for IT de- 
partments to use when rolling out 
and configuring the product. 








Single Sign-on Strategy 
Faces User Scrutiny 


Microsoft, Sun to 
propose technical 
specs as a standard 


BY PATRICK THIBODEAU 
HE SINGLE sign-on 
specifications that 
Microsoft Corp. and 
Sun Microsystems 

Inc. announced this month 

won't help John Wade, CIO at 

Saint Luke’s Health System, a 

10-hospital health care group 

in Kansas City, Mo. 

That’s partly because most 
of the systems at Saint Luke’s 
are from Hewlett-Packard Co. 
But Wade said he just can’t 
wait for IT vendors to solve 
the single sign-on problem. 
His end users see the lack of 
that capability as their major 
systems headache, he said. 

As a result, Wade expects to 
spend $100,000 to $500,000 of 
his $23 million IT budget to 
add single sign-on functionali- 
ty by early next year. The ef- 
fort could involve the creation 
of custom interfaces. 

“I don’t think any of the 
vendors have a real simplified 
directory management proc- 
ess,” he said. “It’s an industry- 
wide problem.” 

Sun and Microsoft agreed to 
two sets of specifications al- 
lowing single sign-on for users 
of systems running Solaris and 
Windows [QuickLink 54419]. 
The announcement came at 
the one-year anniversary of an 
agreement by the two compa- 
nies to settle a long-running 
legal dispute and cooperate on 
integrating their products. 

Microsoft and Sun have re- 
leased draft specifications. 
They will be submitted to an 
as-yet-unnamed standards 
body and will face scrutiny 
from rival vendors as well as 
users. Even Microsoft and Sun 
users won't see products with 
capabilities built around the 
proposed single sign-on speci- 
fications until next year. 

The access-control and sin- 
gle sign-on products now on 


the market have largely been 
developed to work in single 
| operating environments, said 
Lynn Goodendorf, vice presi- 
| dent of information privacy 
| protection at Windsor, Eng- 
| land-based InterContinental 
Hotels Group PLC, which op- 
erates 3,500 hotels worldwide. 
“The goal of most users is 
we want to have one solution 
that would work in all our dif- 
ferent environments and oper- 
ating systems, and not have 
multiple tools to do that,” 
Goodendorf said. She noted 
that InterContinental has a 
single sign-on system for its 
Web-based applications but 
not for its mainframes. 
Goodendorf said the Sun- 
Microsoft agreement was “a 
positive development for pri- 
vacy” because single sign-on 


GENERAL MOTORS CORP. has 
played a key role in getting Sun 
and Microsoft to cooperate on 
cross-platform identity manage- 
ment. Fred Killeen, director of 
systems development and chief 
technology officer for GM's in- 
formation systems and 

services organization, 

said in an interview last 

week that single sign- 

on capability is the auto- 
maker's top priority for 

the two vendors. 


To what degree have 

your users been frus- 
trated by the lack of 
interoperability between 
Microsoft and Sun prod- 
ucts? Clearly, as users, we 
would like to have our life simpli- 
fied - we would like to have few- 
er IDs and fewer passwords. 
From a GM perspective, we real- 
ly view it as a security compo- 
nent as well, because the more 
IDs and passwords you have, 
users tend to write them down, 
and they tend to put them in 








| he said. 


is closely coupled with im- 
proved data access controls. 
But it’s unclear whether the 


| specifications will be support- 


ed as standards by other ven- 


| dors. For example, the Liberty 


Alliance, which includes Sun 
and is one of the major vendor 
groups working on identity 
management issues, character- 


| ized the Microsoft-Sun speci- 
| fications as a step, not a solu- 


tion. 


Not ‘Truly’ Interoperable 
Sai Allavarpu, director of 
product management and 


| marketing at HP, said Sun and 


Microsoft have no plan for in- 
volving users or other vendors 
in finalizing the specifications. 
“So it doesn’t appear to be a 
truly interoperable solution,” 
“It just appears to be 


places which actually make you 
less secure than more secure. 


In terms of identity man- 
agement, what impact will 
the capabilities that Micro- 
soft and Sun are promising 
have on your costs? | 
don't think we know 
enough yet. Certainly, 
there are lots of esti- 
mates on percentages 
of calls to your help desk 
for password resets. This 
isn't going to make all of 
them go away, because 
you still have lots of other 
applications out there. 
But it can certainly reduce them. 

We [also] believe it can help 
reduce some of the access man- 
agement requirements. It would 
integrate the identities there. 

If we were going to integrate 
as is, because we're in an out- 
sourced environment, we would 
pay a supplier to develop these 
interfaces, maintain them over 
time and refresh them every 
time these suppliers upgrade 


| 
| 
| 





interoperability between two 


| implementations.” 


But Sun and Microsoft said 
that the standards-approval 
process will involve other ven- 
dors. And they argued that the 
specifications are applicable 
for any system that uses either 
the Liberty Alliance’s proto- 
cols or the Web Services Fed- 
eration specification, which 
was developed by Microsoft 
and vendors such as IBM and 
BEA Systems Inc. 

IT managers have said that 
they welcome the prospect 
of single sign-on and that it 
could help reduce costs, but 
that there are risks as well. 

“As nice as it is to think that 
one username and password 
will gain you access to all of 
your systems, it also means 
that the employees need to be 
overly protective of their log- 
in codes,” said Brian Young, 
vice president of IT at Creigh- 
ton University in Omaha. “Sin- 
gle sign-on gives everyone a 
master key to their house.” 


@ 54543 


ID Management Ties Are GM's Top Priority 


their products. 


Sun and Microsoft also 
want to improve their man- 
agement capabilities and 
make it easier to write ap- 
plications that run in both 
environments. What do you 
want to see the companies 
accomplish next? | think 
they're not done with identity 
management. We need to con- 
tinue to drive this [and] look at 
the integration issues and how 
you pull these two environments 
together. 

Down the road, the other 
technologies that they have 
talked about are great opportuni- 
ties. But at least for right now, 
this is the one that we highlight- 
ed, and we want to make sure 
that we drive this one to closure. 

~ Patrick Thibodeau 
READ MORE ONLINE 
Go to our Web site for an extended 
version of this interview: 
QuickLink 54506 
www.computerworld.com 
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SEC Offers Limited | 
Sarb-Ox Relief to IT 


Feedback leads to 
modifications in 
assessing controls 
BY THOMAS HOFFMAN 

The U.S. Securities and Ex- 
change Commission last week 
issued new Sarbanes-Oxley 
Act compliance guidelines 
that should provide IT depart- 
ments at publicly held compa- 
nies with some relief by re- 
ducing the number of IT con- 
trols that must be assessed 
each year. 

However, the SEC will con- 
tinue to require that compa- 
nies assess the controls that 
are in place for any new sys- 
tems or software upgrades — 
particularly those that affect 





financial reporting — despite 
feedback from auditors and IT 
that such rules can be stifling. 

For instance, the SEC denied 
requests that it exclude new 
systems and upgrades installed 
late in a fiscal year from year- 
end testing requirements. 
According to the guidelines, 
“management can plan, design 
and perform preliminary as- 
sessments of internal controls 
in advance of system imple- 
mentations or upgrades.” 

That means companies 
must conduct risk assess- 
ments on the systems during 
the planning stages “and focus 
on the high-risk areas,” said 
Carter Priess, CEO of Pace So- 
lutions Inc., an IT audit con- 
sultancy in Danvers, Ill. 


The SEC guidelines are 
aimed at allowing auditors to 
reduce the number of checks 
they conduct on internal con- 
trols under Section 404 of the 
law. Some analysts say the 
changes suggest that the origi- 
nal requirements may indeed 
have been excessive. 


implications Unclear 


| Todd Naughton, vice presi- 
| dent and controller at Zebra 
| Technologies Corp., a high- 


tech printing vendor in Ver- 
non Hills, Ill., said he will need 
a few weeks to review the 
SEC’s guidance with IT and 


| external auditors to determine 


its implications. 
Still, Naughton said he’s 


| “guardedly optimistic” that 


| the SEC’s latest guidance 


“will 
offer relief to our IT staff.” 

In the statement last week, 
the SEC said that it will no 
longer require an assessment 
of all IT controls, only those 
that affect the financial report- 


Rules Prompt Pfizer to Consolidate 
Content Management Systems 


Project to convert 
Word documents 
to XML also on tap 


BY HEATHER HAVENSTEIN 
Pfizer Inc. is embarking on 

an effort to consolidate more 
than 30 document manage- 
ment systems in order to 
streamline regulatory sub- 
missions. 

At the same time, the New 
York-based drug giant has 
started an effort to standardize 
on XML for authoring to meet 
new federal regulations. 

The projects stem from the 
challenges associated with 
meeting new submission re- 
quirements from the U.S. Food 
and Drug Administration and 
other agencies, said Christo- 
pher Lee, director of world- 
wide regulatory operations 
at Pfizer. 

A consolidated content 
management system will allow 
the company to meet these 
evolving submission require- 





ments without having to de- 
ploy tactical point solutions or 
revise content multiple times, 
Lee said. 

Pfizer plans to build the 
content repository by using 
technology from the Docu- 
mentum Inc. unit of Hopkin- 
ton, Mass.-based EMC Corp. 

The content management 
system consolidation will span 
operations in 26 countries and 
different corporate groups 
such as research and market- 
ing to create one seamless 
flow of information to support 
regulatory submissions, ac- 
cording to Lee. 

The company is also defin- 
ing “authoritative sources” of 
content so information about 
a single subject — such as a 
drug compound — can be lim- 
ited to one location. 

Consolidating content man- 
agement systems will likely 
allow Pfizer to more easily in- 
tegrate content needed for 
regulatory submissions that 
may now be created on dis- 





THE ASSOCIATED PRESS 


parate systems, said Nathaniel 
Palmer, an analyst at Delphi 
Group in Boston. 

“It will be a huge effort ... 
if they're able to do it success- 
fully, the advantages would be 
tremendous around the life 
cycle of information and being 
able to trace back to the ori- 
gins of that information,” 
Palmer said. 

At the same time, Pfizer 


Se ke me a em eee mee re ee mem cme om 
— From the SEC's “Staff State- 


ment on Management's Report 
on Internal Control Over Finan- 


| cial Reporting” 


| ing of an organization. 

Many IT managers had pre- 
viously complained about the 
lack of clarity in terms of the 
IT controls that had to be as- 
sessed, said John Hagerty, an 
analyst at Boston-based AMR 
Research Inc. 

By narrowing the scope of 
the IT controls that need to be 





plans to convert all of its regu- 
latory submission-related con- 
tent from Word to XML. 
Beginning in October, the 
FDA will require that pharma- 


| ceutical companies submit 


changes to product labeling in 
an XML format. Most pharma- 
ceutical companies, including 
Pfizer, now deliver these 
changes in Word documents. 

Pfizer will decide in the 
next 30 days whether to use 
an outside vendor to convert 
existing documents to XML 
or build in-house tools to do 
the job. 

The company plans to 





NS ; content management systems should improve 
the work done in its laboratories, the pharmaceutical company says. 
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annually reviewed, the SEC 


| guidance “should lower the 


burden on IT,” Priess said 
The SEC’s new recommen- 


| dation that IT departments 
i 


conduct risk assessments on 


| general IT controls such as 


those around information se- 
curity may have introduced a 
new “level of ambiguity,” said 
Sanjay Anand, chairman of the 
Sarbanes-Oxley Group of Au- 
ditors and Professionals, an 
online community of Sar- 
banes-Oxley practitioners 


| based in Clifton, NJ. 


“The approach has shifted 
from ‘test all controls’ to ‘a 
risk-based approach to choos- 
ing which controls to review,’ ” 
said Anand. 

All in all, said Hagerty, the 
result will depend heavily on 
how auditors interpret the 


| guidelines. @ 54533 


| 
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MORE ON SARB-0X 


Columnist Frank Hayes gives his take on 
the guidelines. Page 56 


create documents directly 


in XML by using tools from 
Arbortext Inc. in Ann Arbor, 
Mich., Lee said. 

In parallel, the company is 
building a common template 


| that can help in the process of 
| converting Word documents 


| to XML. 


“From a business stand- 


| point, Word right now intro- 


duces the opportunity for 
variability,” which hinders ef- 


| forts to standardize company 





documents, Lee said. 

In addition, an XML-based 
authoring system will allow 
the people writing the content 
— often physicians — to focus 
solely on content without hav- 
ing to worry about structure 
of the document, he said. 

However, Palmer noted that 
there will be cultural chal- 
lenges associated with migrat- 
ing authoring to XML. “You 


| have fiefdoms ... that aren’t 


going to easily change,” he 


Attendees at the AIIM show say they're 
looking for ways to better manage content 
and make it easier for users to access 
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Brocade to Restate 
2001-04 Results 


Data storage equipment maker 
Brocade Communications Sys- 
tems Inc. said that it overstated its 
earnings by as much as $52 mil- 
lion from 2001 through 2004 be- 
cause of improper accounting of 
its stock-option expenses. San 
Jose-based Brocade also dis- 
closed that it is cooperating with 
a joint investigation of its stock- 
option practice by the U.S. De- 
partment of Justice and the Secu- 
rities and Exchange Commission. 


HP Results Beat 
Expectations 


Led by strong revenue growth 
outside of the U.S., Hewlett- 
Packard Co. reported that its sec- 
ond-quarter revenue grew 7% 
from the year-earlier period, 
slightly ahead of Wall Street’s 
expectations. 


HP BY THE NUMBERS 
REVENUE 


ORT 
zn 
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PalmOne Names 
Colligan CEO 


Handheld device maker PalmOne 
Inc. has named Ed Colligan presi- 
dent and CEO. He had been serv- 
ing as interim CEO since former 
head Todd Bradley left in Febru- 
ary. Colligan has been charged 
with regaining PalmOne’s dwin- 
dling share of an overall declining 
handheld market from companies 
such as HP. 


Microsoft Adds 
Hosting Tools 


Microsoft Corp. has unveiled new 
tools to help hosting service pro- 
viders integrate Windows-based 
applications into their sites and 
improve site management. The 
Windows-based Hosting Version 
3.5 is aimed at providers that of- 
fer shared Web hosting or dis- 
count dedicated server hosting. 
The tool includes support for 
Microsoft Operations Manager. 





| HOT TECHNOLOGY TRENDS, NEW PRODUCT 
| NEWS AND INDUSTRY BUZZ BY MARK HALL 


Offshore Wage 
Gains Won't Raise . . . 


. .. the cost of IT work heading to India. So claims Marc 
Hebert, executive vice president of marketing at 
Sierra Atlantic Inc., an offshore outsourcer in Fre- 
mont, Calif. Despite annual wage increases of 15% to 
20% for IT staffers in India, the cost of technology 


operations there 
won't edge upward, 
Hebert argues. He 
says that those pay 
increases are being 
compensated for by 
better productivity 
from India-based IT 
workers, with the 
subcontinent’s im- 
proved technology 
infrastructure con- 
tributing to the productivity 
boost. Hebert adds that In- 
dia’s universities today pro- 
duce four engineers for every 
one graduating from a U.S. 
school — a ratio that he pre- 
dicts will reach 10-1 by 2015. 
The prevalence of graduates 
in India means that Sierra At- 
lantic can hire well-trained 
entry-level programmers and 
IT administrators, which 
helps keep its costs down, 
Hebert says. To keep up with 
demand, Sierra Atlantic 
added 400 jobs last year, in- 
creasing its total workforce to 
about 900 employees. About 
50 of those new jobs were in 
the U.S. Hebert claims that 
during the last presidential 


India’s produc- 
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election, the opposi- 
tion to offshoring 
voiced by many De- 
mocrats backfired 

and gave the practice 
some “good PR.” Simi- 
larly, he suggests that 
television commenta- 
tor Lou Dobbs, who 
regularly criticizes off- 
shoring on his show, 
“does more to help 
the industry than anybody.” 
The offshore phenomenon is 
spreading, Hebert says, noting 
that some companies in Cana- 
da — which itself is consid- 
ered a “nearshore” alternative 
for U.S. businesses — have 
begun moving IT jobs to India 
through Sierra Atlantic. 


Trust your PC 

to protect your... 

. .. Network. No, not Win- 
dows, but the PC hardware it- 
self. In March, Dell Inc. be- 
came the last of the major PC 
makers to begin shipping sys- 
tems with Trusted Platform 
Module (TPM) security de- 
vices, which are based on 
specifications developed 





by Trusted 
Computing 
Group Inc. 

in Portland, 
Ore. Steven 
Sprague, CEO 
of IT security 
vendor Wave 
Systems Corp. 
in Lee, Mass., 
says that in four or five years, 
as companies replace their 
older PCs, all corporate desk- 
tops and laptops should be 
TPM-ready. TPM chips can 
be used to encrypt e-mail 
messages and data on hard 
drives. Most important, says 
Sprague, the technology can 
authenticate users before let- 
ting them on corporate net- 
works, making it more diffi- 
cult for unauthorized people 
to access systems. He adds 
that once all your PCs are 
TPM-enabled, it may be pos- 
sible to ditch your single 
sign-on plans because you'll 
be able to use the initial au- 
thentication to give end users 
access to all their applica- 
tions. Sprague says the TPM 
specification for mobile de- 
vices will be ready by the end 
of the year. Goodness. What 
will we do when computing 
becomes secure? 
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A lot cheaper and 

more secure... 

... than PCs. That’s what all 
thin-client advocates boast 
about their devices. Yet, ac- 
cording to market research 
company IDC, thin clients 
make up a minuscule 1% to 
2% of the overall desktop 
market. That doesn’t dampen 
the enthusiasm of Michael 
Kantrowitz, CEO of Neoware 
Systems Inc. 
in King of 
Prussia, Pa. 
After all, 
Fortune mag- 
azine just 
dubbed 
Neoware 
the eighth- 
fastest-grow- 
ing company 


KANTROWITZ 
Thin clients 
are growing. 





in the U.S., and IDC ranks it 
as the No. 2 thin-client ven- 
dor behind Wyse Technology 
Inc. Kantrowitz thinks his 
company is on a trajectory to 
pass San Jose-based Wyse, ai- 
though he wouldn’t say when. 
Furthermore, he predicts that 
by 2010, as much as 10% of 
desktop systems will be thin 
clients, due to a combination 
of cost issues and security 
concerns that TPM technolo- 
gy may or may not resolve. 
Kantrowitz estimates that up 
to 90% of corporate desktops 
could be replaced by thin 
clients, but he acknowledges 
that it won’t happen. “PCs 
are entrenched in IT depart- 
ments and will continue to be 
entrenched,” he says. 


CEOs, even ClOs, 

just don’t see. . . 

. .. good vendor support. That’s 
the response from J.B. Wood, 
president of the Service & 
Support Professionals Associ- 
ation in San Diego, to a recent 
item here about IT execs tak- 
ing aim at pricey technical 
support deals [QuickLink 
53633]. “As you move up the 
IS chain, user-support satis- 
faction levels go down, and 
the perceived value of the 
[service and support] con- 
tract goes 
down,” Wood 
observes. 
Ironically, a 
vendor’s sup- 
port gets 
management 
kudos only 
when the 
technology is 
flaky, he says. 
“The invisi- 
bility of good 
support helps systems stay 
up, drives TCO down and un- 
locks business benefits that 
users might not otherwise 
see,” Wood claims. His ad- 
vice: When you're renegotiat- 
ing your service and support 
contracts, take more than 
those annual fees into ac- 
count. @ 54489 
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CFOs 
INSIST 
ON 
THEM 


If there’s one thing CIOs and CFOs can agree on, it’s Fujitsu PRIMERGY?® servers. 


Featuring the proven reliability 

of Intel® Xeon™ processors, PRIMERGY 
blade, rack and tower servers give ClOs the 
power to drive complex, business-critical 
enterprise applications based on Linux and 
Windows” operating systems. 

PRIMERGY servers also provide 

a low total cost of ownership (TCO), 


delivering the reliability, 


PRIMERGY RX600 
Rack Server 


PRIMERGY TX300 


Tower Server 


cay 


L 


PRIMERGY BX600 
Blade Server 


serviceability, and manageability CFOs 
demand. To help maintain high performance 
and low TCO, Fujitsu features Cool-Safe 
cooling technology. Developed with aviation 
simulation techniques, this innovative, new 
approach to thermal management optimizes 
processor airflow to keep PRIMERGY 
servers running at peak performance in 


real-world IT environments. 


For more information on the complete line of PRIMERGY servers 
and how Fujitsu PRIMERGY servers can bring ClOs and CFOs together, visit 
us.fujitsu.com/computers/PRIMERGY or call 1-800-831-3183. 


oO 
FUJITSU 


THE POSSIBILITIES ARE 


INFINITE 
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IBM Adds New Choice 
On Configuration DBs 


Claims to offer first truly federated 
repository for IT info; others disagree 





BY MATT HAMBLEN 
HEN IBM last 
week detailed 
plans to release 
a database for 

consolidating information 

about system configurations 
and other IT settings, it 
claimed to be the first manage- 
ment tools vendor to announce 

“a truly federated approach” 

for pulling together such data. 

But that claim unleashed a 
torrent of reactions from com- 
petitors that said they already 
offer what IBM plans to roll 
out later this year. And two 
technology analysts said IBM’s 
Tivoli unit is playing catch-up 
to other vendors on the con- 
figuration management data- 
base (CMDB) concept. 

Tivoli’s upcoming Change 
and Configuration Manage- 
ment Database software and 
other products like it aim to 
give IT managers a central 
repository of data about their 
technology installations. The 
use of a single management 
database is recommended as 
part of the IT Infrastructure 
Library (ITIL), a set of IT 
management guidelines. 

Wayne Fowler, director of 
server and systems manage- 
ment at BMO Financial Group, 
said the Toronto-based bank- 
ing firm is devoted to ITIL 
practices. “We're a pure-play 
ITIL shop, and we take a reli- 
gious approach to it,” he said. 

But he added that BMO 
plans to use six to 12 manage- 
ment databases from different 
vendors to help administer the 
more than 2 million compo- 
nents of its global network. 
IBM’s forthcoming offering 
will be part of that mix. 

BMO has been a Tivoli cus- 
tomer for six years. But it also 
uses BMC Software Inc.’s IT 
service desk management 
tools and Peregrine Systems 
Inc.’s asset management soft- 





ware, Fowler noted. “The ap- 
proach you want to ask from 
any vendor is, ‘How do you fit 
in a federated environment, or 
would you rather try to rule 
the world?’ ” he said. 

Lender’s Service Inc., which 
provides property valuation, 
title and closing services to 
lending companies, doesn’t 
use a federated database yet. 
But Marc Machin, a senior 
systems engineer at LSI’s San- 
ta Ana, Calif., office, said it 
would be desirable to have 








“ 


one so he could have “one 
entry point to look at every- 
thing.” He added that he needs 
to research how well the avail- 
able databases integrate with 
other tools. 

BMC today will announce 
plans to combine its Patrol 
and Patrol Express scftware 
to create a product called Per- 
formance Manager that’s de- 
signed to offer users both 
agent-based and agentless 
management tools. 

The two Patrol products will 
be bundled under a single li- 
cense next month, and BMC 
plans to integrate them with 
its CMDB next year, said Tom 
Bishop, who was named chief 
technology officer at the Hous- 
ton-based company last week. 
BMC announced its CMDB in 
January and has shipped the 
database to 65 customers, 
according to Bishop. 





www.computerworld.com 


Hewlett-Packard Co., Com- 
puter Associates International 
Inc. and other vendors said 
they also have federated data- 
bases for consolidating IT in- 
formation. For example, HP 
has offered a CMDB with its 
OpenView Service Desk soft- 
ware since 1999, said Bill Em- 
mett, chief solutions officer 
for HP’s software unit. 

IBM plans to ship a limited 
release of the Tivoli database 
this summer. Mary Johnston- 
Turner, an analyst at Summit 
Strategies Inc. in Boston, said 
the upcoming database is “ex- 
tremely important ... because 
IBM has been behind on ad- 
dressing ITIL.” @ 54516 
SYSTEM MANAGERS 
IBM plans two upgrades of the manage- 
ment software it bundles with its servers: 
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Utility Cybersecurity Plan 


BY THOMAS HOFFMAN 
CHICAGO 

A set of cybersecurity stan- 
dards proposed by the North 
American Electric Reliability 
Council (NERC) are too de- 
tailed in some instances, at- 
tendees at an industry confer- 
ence here said last week. 

Users at the Platts Cyber Se- 
curity for Utilities conference 
said that if the proposal is 
adopted, it could lead to re- 
gional differences in interpre- 
tation and extra compliance 
work for information security 
managers at electric utilities. 

NERC’s proposed cyber- 
security standards, known as 
CIP-002 through CIP-009, 
cover areas ranging from the 
security of critical cyberassets 
to personnel screening and 
training requirements. 

Charles Noble, a member of 
the NERC drafting committee 
who is also the information se- 
curity coordinator at ISO New 
England in Holyoke, Mass., 
said the biggest weakness of 
the proposal is that it’s too 
prescriptive in certain areas, 
like records management, 
where it spells out the number 
of years that specific types of 
records must be maintained. 





A key strength of the pro- 
posal is that it’s being driven 
by utilities and not by the fed- 
eral government, said James 
Sample, manager of informa- 
tion security services at Cali- 
fornia Independent System 
Operator Corp. in Folsom. 
With utility-driven standards, 
“we can control our own 
destiny,” Sample said. 


Enforceability Unclear 
NERC’s membership includes 
utilities and related organiza- 
tions. Its mission is to ensure 
the reliability of bulk power 
generation in North America. 
As a volunteer organization, 
its standards aren’t currently 
enforceable. 

However, the energy bill 
that’s currently being debated 
by the U.S. Senate includes a 
proposal to grant NERC regu- 
latory authority. And even if 
NERC’s proposed standards 
aren’t eventually approved by 
its members, it’s widely be- 
lieved that the Federal Energy 
Regulatory Commission 
(FERC) or state regulatory 
authorities would step in to 
create and enforce more-rigid 
cybersecurity requirements. 

If the standards aren’t passed 





Questioned 


by two-thirds of NERC’s mem- 
bers as required, “I wouldn’t 
be surprised if FERC doesn’t 
jump on it, make it a federal 
regulation and toughen up 
some of the language,” said 
Scott McCoy, director of secu- 
rity at Minneapolis-based Xcel 
Energy Inc. 

To date, NERC members 
have voted on two drafts of the 
proposed standards. Earlier this 
month, the council posted the 
third draft, which members will 
be able to comment on for a 
45-day period. In late July, the 
NERC drafting committee will 
post a final draft for a 30-day 
review before the next round 
of voting, said Larry Bugh, 
chairman of the NERC stan- 
dard drafting team and man- 
ager of IT for the East Central 
Area Reliability Council, one 
of 10 regional NERC units. 


& The biggest 
challenge we 
face is the corporate 


JAMES SAMPLE, MANAGER OF 
INFORMATION SECURITY SERVICES, 
CALIFORNIA ISO 





One of the concerns that in- 
dustry security managers have 
is that the current standard, 
known as UA 1200, is set to 
expire in early August, thus 
leaving a gap between cyber- 
security standards. 

Barry Lawson, manager of 
power delivery at the National 
Rural Electric Cooperative As- 
sociation, said he believes 
most utilities will continue to 
abide by the current standard 
until another one is approved. 

Thomas Kropp, a project 
manager at the Electric Power 
Research Institute in Palo 
Alto, Calif., noted that other 
cybersecurity standards 
being developed by organiza- 
tions such as the National 
Institute of Standards and 
Technology and the Institute 
of Electrical and Electronics 
Engineers Inc. may end up 
imposing conflicting demands 
upon utilities. 

If and when NERC cyberse- 
curity standards are published 
and regardless of how their 
content may change, utilities 
will still face compliance chal- 
lenges. “The biggest challenge 
we face is the corporate cul- 
ture” in terms of getting plant 
operators and other workers 
to change their mind-sets 
about security, said Sample. 


@ 54536 
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BRIEFS 


Nortel, IBM to 
Build Network Gear 


Nortel Networks Corp. and IBM 
have agreed to jointly develop 
networking products for the tele- 
communications industry. They 
will initially focus on developing 
carrier-grade servers for commu- 
nications providers. Those prod- 
ucts will be based on IBM’s 
BladeCenter server design. The 
companies have created a 30- 
person joint development center 
in Research Triangle Park, N.C. 


CEO Otellini Begins 
New Era at Intel 


Paul Otellini has become the fifth 
CEO in Intel Corp.’s 37-year his- 
tory - and he’s the first person 
without an engineering back- 
ground to rise to the top spot 
there. Otellini replaces Craig 
Barrett, intel’s CEO since 1998, 
who will become chairman. Andy 
Grove, the current chairman, will 
step down from the board but 
continue to advise Intel’s leaders. 


BT Group Posts 
Sales, Profit Gains 


BT Group PLC credited its “new 
wave” offerings - information 
and communications technology, 


| 
| 
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‘Ten Tech Firms License 
SAP’s ESA Middleware 


CEO also hints at 


| pricing moves at 








the Sapphire event 


| BY MARC L. SONGINI 


BOSTON 
AP AG last week said 
that 10 technology 
companies, including 
Microsoft Corp., Cisco 


| Systems Inc. and Computer 
| Associates International Inc., 


have licensed its Enterprise 
Services Architecture (ESA) 
as it continues to extend its 


| service-oriented architecture 
| platform. 


At its Sapphire 2005 user 


| event here, the ERP and busi- 
| ness applications vendor tout- 


ed the Web-based ESA and 


| its centerpiece NetWeaver 


middleware technology, which 


| can be used to integrate SAP’s 


mySAP suite with homegrown 
and third-party applications. 





In addition, Henning Kager- 


| mann, chairman and CEO of 


SAP, hinted that as the ESA 
stack evolves, SAP might 
change its current, traditional 
licensing policy to what he 
called “value-based pricing.” 


| User Interest 


Users at the conference said 
they are closely watching the 


| evolution of ESA. 
The NetWeaver stack is “ab- | 


solutely part of our business 
strategy,” said Ed Deenihan, 


| vice president of global ser- 


vices at Network Appliance 


| Inc., a storage systems and 
| services provider and an SAP 
| partner. 


Deenihan said his company 


| is looking to integrate its re- 

| mote and on-site support of- 
| ferings. By using NetWeaver, 
| he said, “we don’t think we 

| have to rip out what we've al- 


ready done. The key is we can 





| evolve at the pace that a cus- 
| tomer wants.” 


Edward Pisula Jr., director 
of corporate IT at Respironics 
Inc., a Murrysville, Pa.-based 


| maker of respiratory devices, 
| said the NetWeaver platform 
| can be used to tweak his com- 


pany’s software for competi- 
tive advantage. 

Respironics now runs SAP’s 
R/3 ERP and Business Ware- 
house business intelligence 
applications. Pisula said Net- 
Weaver could make SAP’s pro- 
prietary ABAP programming 
language easier to use by 


| crafting simple user interfaces 
| that provide users with perti- 
nent data via a portal. 


As for value-based pricing, 


| Pisula said the jury is still out. 


“T’m willing to listen,” he said. 
Ralph Loura, vice president 


| and CIO at Holtsville, N-Y.- 
based wireless products pro- 
| vider Symbol Technologies 





Inc., said that although value- 


| based pricing is an interesting 
| concept, he would need more 


details before making a deci- 


| sion about it. 


NetWeaver has the potential 
to provide something that 
software vendors have been 


| promising for 10 years in 

| terms of creating complete 

| workflows, but there are sig- 
| nificant technical problems, 


said David Dobrin, an analyst 
at consultancy B2B Analysts 
Inc. in Boston. “You have to 


make sure the puzzle pieces fit 


together right,” he said. “You 


| can’t just take a few pieces 


here and there and expect to 


| make it all work.” 


Meanwhile, SAP also an- 
nounced mySAP CRM 2005 


| at the user conference. 


The new system includes 
enhanced marketing capabili- 


| ties, including an e-mail re- 


sponse management tool, and 


| service management improve- 
| ments to let users automate 
| the handling of warranties, re- 


The CRM application is 


| slated to ship in October. 
| @ 54537 





‘NJ. Police Charge Nine for Stealing Bank Account Data 


| Thefts allegedly involved bank workers, 
| took place over a four-year period 


as well as broadband and mobility | 


services - for increases in rev- 
enue and profit in its fourth fiscal 
quarter, which ended March 31. 
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| BY TODD R. WEISS 


| Hundreds of thousands of 
electronic account records 


were allegedly stolen from 
four banks and sold to collec- 


| tion agencies and law firms by 
| a New Jersey data-theft ring 

; that included seven bank em- 

| ployees, according to police in 
| the city of Hackensack. 


High-End Sparc CPU | 


Fujitsu Computer Systems Corp. 
is shipping a faster version of its 
Sparc64 V processor with certain 
PrimePower Unix servers. The 
company said five PrimePower 
models will ship with a 2.08-GHz 
Sparc64 V CPU with 4MB of on- 
chip cache. Fujitsu wouldn’t say 
whether it plans to ship the new 
chips with its low-end Prime- 
Power 250 and 450 systems. 


The Hackensack Police De- 
partment last week increased 
the total number of customer 


| accounts that allegedly were 
| breached to about 676,000. 

| That’s up from the initial 

| count of 500,000 records. 


“This thing’s getting bigger 
and bigger,” Hackensack Po- 
lice Capt. Frank Lomia said. 
“It’s still growing. The banks 
are uncovering more accounts 
than we knew about.” 

The case has so far led to 


criminal charges against nine 


; people, and the Hackensack 


police are continuing their in- 
vestigation into the alleged 
thefts by the group, which is 
believed to have operated for 


| more than four years. The U.S. 
| Department of the Treasury 

| and the Internal Revenue Ser- 
| vice also are involved in the 

| investigation, police said. 


| Insiders Suspected 

The police department an- 

| nounced the arrests of the 

| nine suspects on April 28. 

| They were charged with ille- 

| gally selling personal informa- 
| tion stolen from bank and 

| New Jersey state computer 


databases. The suspects cap- 
tured screen images of some 
records and printed out oth- 


| ers, police said. 


Police allege that a 35-year- 


| old Hackensack resident set 

| up an unlicensed company as 

| acollection agency and a busi- 
| ness for locating individuals 


who had defaulted on pay- 


, ments. He allegedly paid the 


bank employees to provide 
him with data about custom- 
ers, including their names, ac- 


| count numbers and balances. 


The employees worked for 


| Wachovia Corp., Bank of 
| America Corp., Commerce 


This thing’s 
getting bigger 


| and bigger... . 
| The banks are 
_ uncovering more 


accounts than we 
knew about. 


eeeceeee 


CAPT. FRANK LOMIA, 
HACKENSACK POLICE DEPARTMENT 


Bancorp Inc. and PNC Bank 


| NA, according to the allega- 
| tions. None were IT staffers. 


Fran Durst, a spokeswoman 


for Wachovia, said the Hack- 
| ensack police have released 
, the names of 300,000 people 


whose information may have 


| been stolen. Wachovia is noti- 
| fying about 14,000 of its cus- 

| tomers whose names were on 
| the list, she said. 


Bank of America hasn't re- 
vealed the number of its cus- 


| tomers who may have been 
| affected by the data thefts. 
| Spokeswoman Alexandra Lift- 


man would say only that the 


| bank has communicated with 
| about 75 customers whose 
| records are known to have 


been accessed. 

A spokesman for PNC Bank 
said it has identified only 12 
customers who might be af- 
fected. Officials at Commerce 
Bank couldn’t be reached for 
comment last week. @ 54542 
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Fujitsu Expands Market 
For Biometric System 


TOKYO 


JJITSU LTD. last week announced 
Fes it will begin selling its palm- 
vein biometric security system 
outside Japan by the end of this year. 

The system, which uses the pattern 
of veins inside a person’s hand to veri- 
fy his identity, has been available in 
Japan since mid-2004 and is already 
being used in some high-profile appli- 
cations. 

For example, The Bank of Tokyo- 
Mitsubishi Ltd., Japan’s third-largest 
retail bank, began rolling out the tech- 
nology last October in its 267 branches 
as an alternative to personal identifica- 
tion numbers for ATM 
transactions. About half 
of the bank’s 3,000 ATMs 
will have the system by 
September. 

The product being 
offered by Tokyo-based 
Fujitsu includes a scan- 
ner that is similar to a 
digital camera but works 
in the near-infrared 
range, so it can detect 
veins. The system then 
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uses a proprietary algorithm to match 
the images produced by the scanner 
to a database for verification, taking 
into account the number of veins, 
their position and the points at which 
they cross. 

m MARTYN WILLIAMS, IDG NEWS SERVICE 


Sabre to Pay $1B for 
U.K.’s Lastminute.com 


LONDON 

ABRE HOLDINGS CORP., the oper- 
Ss: of Travelocity.com LP, an- 

nounced May 12 that it plans to 
create Europe’s largest online travel 
agency by acquiring London-based 
Lastminute.com PLC for £577 million 
($1.08 billion U.S.). 

Technically, the acqui- 
sition will be made by 
Travelocity Europe Ltd., 
an indirect subsidiary 
that Southlake, Texas- 
based Sabre established 
for the purpose of exe- 
cuting the deal. 

Sabre, which expects 
to close the acquisition 
by the end of July, said 
that the combined Trave- 
locity and Lastminute.- 


com business will have strong posi- 
| tions in the U.K., France, Germany, 
Italy, Scandinavia and Spain. 

m LAURA ROHDE, IDG NEWS SERVICE 


Asian Telecom Carrier 
Taps Java for Operations 


TOKYO 

UN MICROSYSTEMS INC. last week 
G monnees that it will supply 

software and servers to KT Corp., 
South Korea’s dominant telecommu- 
nications carrier, under a deal that Sun 
says advances the use of Java in that 
industry’s back-end systems. 

Seoul-based KT, formerly known as 
| Korea Telecom, will use Java applica- 
tion programming interfaces (APD, 
J2EE middleware and servers running 
Solaris to tie together the network 
management, provisioning and billing 
systems that support its nationwide 
broadband network. 

Sun and KT will jointly develop the 
operational support system, or OSS, as 
it’s known among telecom carriers. 
The deal is part of Sun’s “OSS through 
Java” initiative, which uses Java APIs to 
integrate components of operational 
and business support systems in the 
telecommunications sector. That in- 
dustry is Sun’s biggest vertical market 
globally. @ 54501 
m@ MARTYN WILLIAMS, IDG NEWS SERVICE 
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Briefly Noted 


Cuba's daily newspaper reported 
last week that the government 

will gradually switch from Windows 
to the Linux operating system on 

all PCs, according to the Agence 
France Press news service. Roberto 
del Puerto, director of the country’s 
IT office, told the government daily 
that Cuba already has about 1,500 


Xenos Group Inc., based near 
Toronto, announced last week that 
BCEE (Banque et Caisse d’Epargne 
de l’Etat du Luxembourg), the 
largest bank in Luxembourg, plans 
to install its d2e document manage- 
ment software. The Xenos software 
will be integrated with a content 


Two global! outsourcing advisory 
firms based on different sides of the 
Atlantic merged last week. Trow- 
bridge Group in Addison, Texas, and 
London-based ALS Consulting Ltd. 
said they have combined to form 
Alsbridge Ltd., which will have of- 
fices in both locations. 
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Symmetrix was three or four 
years ago,” said John Hegner, 
vice president of technology 
services at Liberty Medical 
Supply Inc. in Port St. Lucie, 
Fla. “Except for the highest 
feature functionality, I don’t 
see a place for Symmetrix.” 

Hegner manages more than 
50TB of data stored in Clari- 
ion arrays. Liberty Medical 
doesn’t use any Symmetrix 
systems, he said. 

Michael Berthiaume, a 
systems analyst at American 
Power Conversion Corp. in 
West Kingston, R.I., said his 
company recently replaced 
two older Symmetrix 8530 
arrays with one high-end 
DMxX and one Clariion CX700 
array, achieving a “signifi- 
cant” return on investment. 

The Clariion array, which 





can use either higher-end 
Fibre Channel disk drives or 
lower-cost Advanced Technol- 
ogy Attachment disks, is used 
by Berthiaume’s shop for ap- 
plications such as Lotus Notes 
and software from Oracle 
Corp. and Siebel Systems Inc. 
The DMX array is used almost 
exclusively for CRM applica- 
tions, he said. 

In the quarter that ended 
March 31, sales of Clariion sys- 
tems totaled $419 million, up 
47% from $285 million in the 
year-earlier period. First-quar- 
ter 2005 sales of Symmetrix 
systems, in contrast, declined 
3% to $652 million. 

Mark Lewis, EMC’s chief 
development officer, said that 
the company is welcoming the 
movement of Symmetrix users 
to midrange systems. 

“We just want to be change 
embracers,” Lewis said. “At the 
end of the day, bring it on. Let 
it happen. The only risk you 





always have is sticking your 
head in the sand.” 

Joel Schwartz, general 
manager of EMC’s midrange 
systems division, said that 
while Symmetrix will remain 
a standard for highly resilient 
and high-throughput systems, 
he isn’t troubled by the user 


Upgraded Clariion 





movement away from the 
line. “If you don’t cannibalize 
yourself, someone else will,” 
he said. 


Financial Returns 
Paul Stonchus, data center 
manager at MidAmerica Bank 
in Clarendon Hills, Ill., said he 
thinks EMC’s midrange and 
high-end arrays will merge 
over the next 10 years to be- 
come a single line based on 
the best of their technologies. 
“The disk form factor is the 
same. If they merge, then you 
only have one R&D cost that 
would be less,” said Stonchus, 
whose bank has a mix of 
EMC’s Symmetrix, Clariion 
and Centera fixed-data arrays. 
Tony Prigmore, an analyst at 
Enterprise Strategy Group Inc. 
in Milford, Mass., also said he 
thinks EMC will eventually 
move to a combined storage 
platform with a common set of 
code, storage applications and 





physical components. He pre- 
dicted that such a move by 
EMC would accompany an in- 
dustrywide convergence of 
midrange and high-end systems. 

Prigmore pointed to IBM’s 
release last fall of its Total- 
Storage DS8000 line of arrays, 
which includes both high-end 
and midrange systems that 
share common applications 
and management software. 

“We anticipate seeing that 
same thing with Hitachi Data 
Systems,” he said. 

Prigmore said it makes 
sense that users would stick 
with high-end arrays if they al- 
ready had significant invest- 
ments in storage software and 
staff trained to support those 
systems. But, he added, “the 
gap is closing here, percep- 
tion-wise.” @ 54521 


MORE THIS ISSUE 


EMC will ship its long-awaited virtualization 
technology in the third quarter. Page 14 
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Compliance 


gence Corp. in Westwood, 
Mass., to manage the log data 
generated by its firewalls. 
Calpine later connected its 
other security devices and its 
routers and switches to the ap- 
pliance, said Sean Curry, the 
company’s infrastructure engi- 
neering manager. 

Then the 


company real- | 


ized that the 
appliance 
could gather 
and normalize 
log informa- 
tion from its 
Windows and 
Unix applica- 
tion servers 
without re- 


MICHAEL 
GABRIEL at 
Career Educa- 
tion says data 
(ere re ee) 
mC] 
rey el 


on those systems, Curry said. 


That has made it ideal for com- | 


pliance reporting, he noted. 

Calpine began using the ap- 
pliance to collect information 
from the servers in January as 
part of an effort to streamline 
its Sarbanes-Oxley Act com- 
pliance efforts. Curry said the 
appliance now handles an av- 
erage of 2,200 log items per 
second altogether. 

Adding to its appeal are 
functions that let Calpine’s in- 
ternal auditors directly gener- 
ate the reports they need 
without involving systems ad- 
ministrators. “We've been able 
to delegate the logs out of the 
systems administrator’s con- 
trol,” Curry said. 

Catholic Healthcare Part- 
ners, a large health care sys- 
tem based in Cincinnati, is de- 
ploying a similar device made 
by Intellitactics Inc. in Reston, 
Va., to manage log data from 
more than 2,000 servers 
spread across its 10 operating 
regions and two data centers. 

“If I spent five minutes per 
day looking at the logs from 
each system, it would take me 
20 man-days per day to look at 
everything. It was just too un- 
reasonable,” said Tim Harri- 
son, inforrnation security offi- 
cer at Catholic Healthcare. 

But the Health Insurance 
Portability and Accountability 


quiring agents | 
to be installed | 





Act mandates that companies 
demonstrate that they have 


| 


the necessary controls in place | 


for protecting sensitive data. 
Harrison said the Intellitactics 
appliance will eventually help 
Catholic Healthcare deal with 
roughly 100 million log items 
every day, including data gath- 
ered from all of the company’s 
myriad security devices. 

The appliance is expected 
to allow security teams and 
systems administrators to get 
detailed views of log informa- 
tion pertaining to their specif- 
ic domains, he said. In addi- 
tion, the company’s auditors 
should be able to specify the 
kind of data they need to see 
for compliance purposes. 


Two-Pronged Approach 
Michael Gabriel, corporate IT 
security manager at Hoffman 
Estates, Ill.-based Career Edu- 
cation Corp., a $1.73 billion 
provider of postsecondary ed- 
ucation, said there are two as- 
pects to auditing internal con- 
trols on end users’ access to 
systems and data. 

“There's the part that deals 
with the collection of the data, 
and there’s the part that deals 
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User Demand Sparks Vendor Changes 


THE INCREASING USE of secu- 
rity event and information man- 
agement appliances for regulato- 
ry compliance reporting is 
prompting some vendors to 
tweak their product development 
and marketing strategies. 

Last week, for instance, San 
Jose-based NetIQ Corp. an- 
nounced compliance-oriented 
versions of its security event 
management products. Its Secu- 
rity Compliance Suite comes in 
two flavors and features a new 
log-management component and 
templates designed to help com- 
panies assess and report on their 
compliance with laws such as the 
Sarbanes-Oxley Act, HIPAA and 
the Gramm-Leach-Bliley Act. 


| with the mining of the data for 


useful information,” Gabriel 
said. “If you aren't doing the 
first one right, the second 
doesn’t matter.” 

Career Education is using 


| a product from Edison, N.J- 


based NetForensics Inc. to col- 


| lect about 6 million log items 
| per day from its systems. The 


EMC Sets Pricing, Availability 
Of Virtualization Technology 


BY LUCAS MEARIAN 
NEW ORLEANS 

EMC Corp. formally an- 
nounced a shipping schedule 
for its long-awaited storage 
virtualization technology last 
week at its annual user confer- 
ence here. 

EMC officials acknowl- 
edged that the availability of 
Invista, code-named Storage 
Router, is a quarter behind 
schedule. Company executives 
attributed the delay to “com- 
mon” development issues. 

Users interviewed last week 
downplayed the delay, saying 
that they are in no rush to im- 
plement the technology, which 
is priced starting at $225,000. 

The new Invista system will 
reside on products from three 
leading switch vendors and 
will be generally available next 
quarter, said Mark Lewis, chief 





development officer at EMC. 
Paul Stonchus, a data center 
manager at MidAmerica Bank 
in Clarendon Hills, Ill., said 
that he has EMC Symmetrix, 
Clariion and Centera arrays in 
his data center and would 
eventually like to use Invista to 
migrate data across arrays. But 
he noted that he’s not yet 
ready to “reinvent the wheel.” 
“I’m intrigued by it,” he said. 
“Once we decide to cross our 
Clariion and Symmetrix [envi- 
ronments], it will make all the 
sense in the world. But for 
now, I'll wait for Rev. 2.” 
Speaking at EMC’s Technol- 
ogy Summit here, Lewis told 
about 4,000 attendees that 
Invista will be most valuable 
in migrating data off aging 
systems or from one box to 
another during software up- 
grades in order to avoid dis- 


In March, Network Intelligence 
upgraded its enVision security 
event management suite with a 
new compliance-reporting dash- 
board and functions for gathering 
log information from a wider set 
of sources, including IBM's older 
0S/390 mainframes and AS/400 
systems and Web servers that 
run Microsoft Corp.'s Internet In- 
formation Services software. 

Market forces are driving the 
changes, said Jim Melvin, vice 
president of marketing at Net- 
work Intelligence. The tools were 
once used purely for collecting in- 
formation from firewalis and intru- 
sion-detection systems to sup- 
port IT security efforts, Melvin 
said. But over the past two quar- 


technology has “put us in a 
position where we can dem- 


| onstrate we have all the need- 


ed controls,” Gabriel said. 
“The ability of these tools to 
centralize reporting capabili- 


| ties is one of their chief values 


from an auditing and compli- 


| ance standpoint,” said Scott 
| Crawford, an analyst at Enter- 





rupting applications. 
Michael Berthiaume, a sys- 


| tems analyst at American 
| Power Conversion Corp., said 


he’s interested in Invista be- 
cause it could eliminate 


| planned downtime in data mi- 


grations of applications like 
Lotus Notes, Oracle and Siebel 
from high-end systems to 


| midrange systems for better 


price performance. 


Product Plans 


. According to Lewis, the first 


version of Invista will reside 
on EMC’s own Connetrix 
switches, Cisco Systems Inc.'s 
MDS line of switches and Bro- 
cade Communications Sys- 
tems Inc.’s multiprotocol 


| switches. It is expected to be 
| available on McData Corp.’s 


switches in early 2006. 

The switch-based virtualiza- 
tion firmware will support all 
of EMC’s Clariion and Sym- 
metrix storage offerings, as 
well as systems from Hewlett- 
Packard Co., IBM and Hitachi 
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ters, demand from security users 
has been matched by interest 
from companies looking to use 
the products for compliance re- 
porting, he said. 

Pam Casale, vice president of 
product management at Intellitac- 
tics, said the company added fea- 
tures for automating log monitor- 
ing and reporting in April after it 
also started seeing increasing de- 
mand for such capabilities. 

“It's changing the way we de- 
velop products,” said Tom Fola- 
dare, senior director of business 
development at NetForensics. 
“Now we worry about asset groups 
and business processes and be- 
ing able to take every server that 
is dealing with a SOX issue and 
put them into different groups.” 

- Jaikumar Vijayan 


prise Management Associates 
Inc. in Boulder, Colo. 
Gartner’s Williams noted 
that the technology’s support 
for collecting information 
from virtually any source has 
made it ideal for monitoring 
activity on sensitive systems 
such as accounting and human 


resources. @ 54539 


Data Systems Corp., according 
to Lewis. 

Nancy Hurley, an analyst at 
Enterprise Strategy Group Inc. 
in Milford, Mass., said that 
while EMC is the last of the 
leading vendors to release a 
virtualization product of this 
caliber, the gradual adoption 
of virtualization technologies 
will allow it to gain adequate 
market share. IBM, Network 
Appliance Inc., HP and Hi- 
tachi are already selling com- 
petitive systems. 

Mario Arbelaez, a storage 


| engineer at software vendor 
| Acxiom Corp. in Little Rock, 
| Ark., said he would like to 

evaluate Invista because mi- 


grating data when upgrading 
storage management software 


| causes application downtime. 


Arbelaez, who has storage 
from HP, IBM, Storage Tech- 
nology Corp. and EMC, said 
Invista’s $225,000 price tag 
isn’t too expensive “when 
you're talking trying to mi- 
grate 25TB of data.” @ 54519 
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DON TENNANT 


A Matter of Image 


OW’S THIS FOR BAD LUCK? You're a 
bank, and your check-sorting machine 
goofs up and puts canceled checks in 
the wrong statement envelope so 
they’re sent out to the wrong cus- 
tomer. How’s this for worse luck? The wrong cus- 


tomer is a journalist. Me. 
You can imagine my 
betuddlement when I 
opened my bank state- 
ment a couple of weeks 
ago and found five can- 
celed checks that weren’t 
mine. The checks were 
written by another cus- 
tomer here in Massachu- 
setts, a person we'll call 
“Joan Day.” We'll call her 
that for two reasons: 
not her real 
name; second, “Jane Doe’ 


First, it’s 


is Way Overused 

Now, from these checks, here's 
what | know about Joan: Her name, 
husband’s name, address, home 
phone number, driver’s license num- 
ber and expiration date, date of birth 
and checking account number. J also 
have five signature samples. Oh, and 
i know where Joan likes io shop, and 
that she has a kid taking gymnastics. 

This compromise of Joan’s person- 
aj information was bad news — not 
only for Joan, byt for the bank whose 
mistake allowed it to happen. Citi- 
zens Bank, an arm of Citizens Finan- 
cia) Group Inc. in Providence, R.1., is 
aware that any bank’s lifeblood is the 
confidence of its customers, and that 
includes confidence thai persona) 
privacy will be protected 

So, how does something like this 
happen? According io Avivah Litan, 
an analyst ai Gartner Inc., it’s “slop- 
py work” that’s “really inexcusable.’ 

Litan contends that banks’ check- 
processing resources “are being fun- 
neled to electronic image capture at 
the expense of the manual check- 
handling process.” 

Interesting that Litan mentioned 
electronic image capture. It so hap- 





pens that my statement 
envelope contained a 
brochure inviting me to 
opt for check imaging 
The brochure promoted 
the service, which would 
provide images of the 
checks on the statement 
rather than the canceled 
checks themselves, as 
one that would “reduce 
the risk of misplacing a 
canceled check.” } don’t 
think they were referring 
to the risk of the bank misplacing it, 


| but you get the idea. 


The good news is that when | 
informed the bank of the breach, 
the matter was taken seriously. A 


| spokeswoman said Joan would be 


notified immediately, receive an 
apology and be given the option of 
closing her account and opening a 


| new one. Commendably, moreover, 


| was put in touch with Bill Wray, 





CIO at Citizens Financial Group, to 
discuss the goof-up. 

Wray certainly didn’t diminish the 
seriousness of the compromise, but 
he dismissed the notion of it being a 
resource allocation issue. He ex- 
plained that when vou have around 
5 million checks running through 
electromechanical sorters nightly, on 
very rare occasions the checks might 
stick together and be stuffed in the 
wrong envelope. Wray noted that 
with check imaging, there’s virtually 
no chance for this to happen, and 
there’s an added traud-management 
benefit, since investigators can gei 
immediate access to check images 
Seems io me that going the imaging 
route is a no-brainer 

It makes me wonder why Massa- 
chusetts law requires customers to 
opt in for check imaging, while all 
the other states in which Citizens 
Bank does business require custom- 
ers to opt out if they want to contin- 
ue receiving their canceled paper 
checks instead. Given that Joan’s 
checks could easily have ended up in 
even worse hands than mine, I'd say 
this is a case when opt-out is clearly 
the superior approach @ 54470 


“It'S A DATA SECURITY PROMOTION FROM OUR BANK. 
THEY SENT US SOMEONE ELSE'S CANCELLED CHECKS, “ 
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Riding the 
Wave toa 
Perfect Day 


OU’VE HAD one of 

those days. No, not 

one of those days that 
cause you to wonder why 


in the world you ever chose 
mathematics over marketing or com- 
puter science over cultural anthropolo- 
gy. No, it was one of those days when it 
al! comes together, when the major in 
stallation hits and — deep breath — 
actually works 

On days like this, you think of the 
people on your team who made this 
happen, admiring their dedication and 
persistence. You also think of the own 
ers of the project, from the head of 
marketing io the part-time customer 
service rep, who ded- 
icated time and re- 
sources to make sure 
that your people had 
a solid business case 
and good require- 
ments. You even re- 
member back io the 
governance meeting 
when this particular 
project was chosen. 

You knew then that 

it wasn’t going to be 

easy bui that if vou 

could get it done, 

you'd make the com- 

pany even more competitive. You knew 
ii was going to be a great project. 

And then along came another great 
project. It was also critical to the com- 
pany’s success, and it quickly became 
clear that you needed to do both. But 
that was OK, you figured, because the 
first project should be over months 
ahead of the second 

Then stuff began to happen A 
month into the work, you felt as if both 
projects were slipping through your 
fingers. Doing both at once and main- 
taining norma) work was straining the 
resources of the rest of the company. 
First, the business requirements came 
in just under the wire. Then the ven- 
dors made offers that you could refuse, 
and negotiations with legal never 
seemed to quite reach an end. The sec- 
ond month went by, and then the third. 

Soon it became apparent that both 
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Performance Predictability: Congestion-ending architecture ensures the most important 


applications receive top resource priority, So you 
maintain incredible control and throughput during 
the most demanding times. 


Reduced Operational Complexity & Costs: Our 
clean-code configuration and consistent release 
schedules require minimal effort to set up and 
maintain — no wasted time on constant patches 


and upgrades. 


> SPECIFICATIONS 
Platform 


Size 
Site Connections 


Fixed LAN Ports 
WAN Interface Slots 
Fixed WAN Interfaces 


WAN Interface 
Modules 


Memory 
Redundancy 


Additional Software 
Licenses 


J2300 
1U 
2xT1/E1/Serial 


2xFE 
n/a 
2xT1 or 2xE1 or 2xSerial 


n/a 


256 or 512 MB DRAM 
No 


Stateful Firewall, IPSec, 
J-Flow Accounting, 
BGP Route Reflector 


J4300 

2U 
2xT1/E1/Serial 
to 8xT1/E1 
2xFE 

6 Open Slots 
n/a 


2xT1/2xE1 
2xSerial/ 2xFE 


256 or 512 MB DRAM 
No 


Stateful Firewall, IPSec, 
J-Flow Accounting, 
BGP Route Reflector 


J6300 

2U 
2xT1/E1/Serial 
to DS3 

2xFE 

6 Open Slots 
n/a 


2xT1/2xE1 
2xSerial/2xFE/DS3 


256/512/1024 MB DRAM 
Power 
Stateful Firewall, IPSec, 


J-Flow Accounting, 
BGP Route Reflector 


>» CARRIER-CLASS PERFORMANCE & SECURITY, READY FOR YOU. 


Tired of old answers? Take a look at the future: www.juniper.net/ products /jseries/ 


www. juniper.net 


888-JUNIPER (888-586-4737) 


© 2005 Juniper Networks 





www.computerworld.com 


OPINION 





projects would launch in the same 
month. The team started talking about 
a perfect storm. You kept thinking 
about the movie — don’t they all die in 
the movie? It could indeed be a perfect 
storm, at least for your career. 

Then early code releases were deliv- 
ered. The business owners started to get 
excited. The buzz among them was that 
this was going to be a killer app. Right 
then in the meeting you started think- 
ing, Just what I need — the killer app in 
the perfect storm. There were far too 
many references to death, and your in- 
ward chant became “Live, project, live!” 

But that’s when the team started to 
hit its groove. Technical issues arose 
but were quickly resolved. Testing con- 
tinued, with bugs getting worked out 
faster than QA could keep up with 
their documentation. Early soft launch- 
es for both projects were discussed 
and approved. The soft launches hit, 
experienced a few bumps but went on. 

And today, when you launched, it 
was smooth sailing. No perfect storm, 
just two killer apps riding the waves. 

Now, as you’re walking down the 
hallway feeling relieved, you glance at 
your BlackBerry and see an e-mail 
from the CFO. Apparently there is a 
concern in accounting. 

You craft your polite response to the 
CFO, cc’ing the project manager. The 
project manager bolts out of a meeting, 
finds you and tells you that yes, ac- 
counting had recently expressed some 
reservations, but it had signed off on 
the process a month ago. The project 
manager and the CFO straighten 
everything out, and 90 minutes later 
there are no more concerns in ac- 
counting. You finally breathe, head 
back to the hotel and call home. 

It’s been a great day. @ 54412 


DAVID MOSCHELLA 


IT at the 
Front of Your 
Company 

iia eiioaees 
have you heard some- 


one proclaim that blogs, par- 


ticularly in conjunction with 
RSS, are the next big thing? 

The latest and loudest of these as- 
sertions came from Business Week. 
The cover of its May 2 issue screams 
in giant red type that “blogs will 
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change your business.” Af- 
ter all, they brought down 
Dan Rather. 

Although it’s easy enough 
to deflate some of this hype, 
a more practical exercise is 
to try to ask what blogs, 
RSS, podcasts, peer-to-peer 
and the whole “smart mob” 
movement might mean to 
corporate IT. Perhaps not 
surprisingly, the answer is 
“It depends,” a response 
that isn’t as equivocal as it 
might first appear. 

Exaggerations aside, it’s 5 
true that the explosion in blog usage is 
evidence of a significant new IT fron- 
tier. For many years, IT was primarily 
used to automate the flow of records, 
documents and communication inside 
your organization. Then, with the 
Web’s arrival, direct links with cus- 
tomers and suppliers proliferated. This 
latest set of tools and services has the 
potential to capture the conversations, 
feelings and activity of your actual 
marketplaces. Essentially, a new plat- 
form is emerging at the very front of 
your company. 

As I have argued several times in 
this column, the task of IT value cre- 
ation is becoming the responsibility of 
not only IT suppliers and departments, 
but also customers themselves. Busi- 


Cohen Is Right: 
Visas Are Wrong 


HANK YOU for doing the inter- 

view with Gerry Cohen [“Q&A: 
Information Builders CEO Blasts 
Gates’ H-1B Stand,” QuickLink 
54143]. This guy is an American 
hero for sticking to his guns and 
bucking the popular trends. But 
most of all, he is a hero for being 
willing to stick out his neck and tell 
the IT industry that H-1B and L-1 
visas are the wrong solution for this 
industry. 

Cohen says many of the things 
that the members of TechsUnite and 
ProgrammersGuild have been say- 
ing for years - there is no shortage 
of workers, and the more that indus- 
try demands the importation of 
cheap labor, the worse the overall IT 
industry is going to fare in the U.S. 

Information Builders, which Co- 
hen built from the ground up, is one 
of those rare companies that acts 
ethically while at the same time try- 
ing to derive the greatest return for 











ness books and journals 
now promote concepts 
such as co-evolution, co- 
creation, customer experi- 
ence and democratic inno- 
vation. That speaks to a 
trend that feels fuzzy today 
but will likely appear obvi- 
ous within a few years. 
Successful companies will 
find ways to harness the 
energies of their cus- 
tomers, as the open-source 
movement already has. 
That the significance of 
these ideas depends upon 
the business you're in is nothing new. 
Clearly, industries such as health care, 
entertainment and automobiles tend to 
have more-active communities of cus- 
tomers than, say, canned foods. But it’s 
not hard to imagine that within a few 
years, forward-thinking companies in 
an impressive range of sectors will 
have real-time systems that capture, 
map and respond to the way their 
products and services are being used, 
evaluated and discussed. Such systems 
could render many traditional forms of 
market research obsolete. 

And for corporate IT, that is the rub. 
What role, if any, will you play in influ- 
encing the development of systems 
that will principally serve the needs of 
marketing, product development and 


aa Lats 


its stockholders. In the past, | was a 
| customer of IBI. It's becoming clear 
| tome that it's the kind of company 
that | want to be a customer of in 

| the future! 

Walt Crosby 

| Executive vice president, 

| Terabase Corp., 

Danvers, Mass., 

| walt@terabase.com 


| Apple’s Just Another 
Closed Monopoly .. . 


N HIS letter to the editor about 

Microsoft and Linux, Daniel Reiss | Fas And It C 
wrote, “Better yet, switch to Apple. 
Better hardware, better operating 
| system, better use of open-source 
and no threat of litigation from SCO 
or Microsoft” [(QuickLink 52909]. 

Whether or not the statements 
| concerning hardware and operating 
system are true, there is a major 
problem with this advice. Moving 
from Microsoft to Apple is like jump- 
ing out of the frying pan into the fire. 
You have only traded monopolies. 


of hardware. 
George Washburn 


Marion, Ala. 








You have gone from an organization 
that controls the operating system 
and software to one that controls 
the hardware and operating system. 
You have gone from one straitjacket 
to another. You may be better off for 
| awhile, but eventually you will be in 
trouble because you are in a closed, 
controlled, monopolistic system 
Currently, the only viable alternative 
is Linux, open systems and a variety 


Big Bucks for ‘Cool’ 


WHOLEHEARTEDLY AGREE 

with Michael Gartenberg’s opin- 
ion about the features on Apple’s 
new Tiger operating system: They 
are cool [“Apple Takes Major Leap 
| With Tiger,” QuickLink 53958}. 
What he hasn't worked out, appar- 
ently, is that corporate America 
doesn't want to pay for cool. 

Apple consistently extracts 


customer service, but often with little 
direct connection to the back-end 
transaction systems managed by cor- 
porate IT? Just as marketing typically 
controls the company Web site, it will 
also take the lead on these high-profile 
and often experimental initiatives. The 
question is whether it will look to cor- 
porate IT for help or decide that the 
expertise it needs resides elsewhere. 
One of the misconceptions regard- 


| ing the use of outsourced services is 
| that they are best suited for low-value, 


back-office activity. But high-value ser- 
vices requiring scarce capabilities can 
be an equally attractive option. A 


| whole new set of enhanced search, 
i 


business intelligence and pattern- 
recognition suppliers is emerging that 


| will be at the cutting edge of front-of- 
| the-company technology deployment. 


My company’s research shows that 
when it comes to the IT organization's 
relationships with key company do- 
mains, the most fractious is often with 
marketing. Whether corporate IT will 
play a big role in the customer-driven 
world of the future will largely depend 
upon whether this relationship be- 
comes more closely aligned. @ 54405 


More columnists and links to archives of 
previous columns are on our Web site 
www.computerworld.com/columns 





more money from your pocket than 
most other manufacturers, and it 
is more proprietary than Microsoft 
has ever been, yet it still wonders 
why its market share doesn't in- 
crease by leaps and bounds. 

I'm sorry, but you are going to 
have to convince me that Apple has 
shed its exclusivity before | will even 
get interested again 
Bob Sibson 
Enterprise architect, 

Adelaide, South Australia 


COMPUTERWORLD welcomes 
comments from its readers. Letters 
will be edited for brevity and clarity. 
They should be addressed to 
Jamie Eckle, letters editor, Com- 
puterworld, PO Box 9171, 1 Speen 
Street, Framingham, Mass. 01701. 
Fax: (508) 879-4843. E-mail: 
| ietters@computerworld.com. 
Include an address and phone 
number for immediate verification. 
For more letters on these and 


other topics, go to 
www.computerworid.com/letters 








NO MATTER HOW YOU STACK IT, 
CHECKFREE FOUND WINDOWS DELIVERS 
24% LOWER TCO THAN RED HAT LINUX. 





“We conducted stringent testing and chose 
the Microsoft® solution for its unified stack, 
which saves time and money on integration 
and maintenance. These factors combined 
to give the Microsoft stack a 24 percent 
lower total cost of ownership compared 
to other solutions.” 


— Randy McCoy, CTO, 
CheckFree Corporation 


CheckFree Corporation powers millions of financial transactions daily for 
thousands of financial institutions. As home to one of the world’s largest 
databases, they needed to reduce their cost per transaction while maintaining 
performance and quality. So they conducted a stringent benchmark test of 
an IBM solution stack including Red Hat Linux 9, IBM DB2, and J2EE against 
a Microsoft solution featuring Windows Server™ 2003, SQL Server™ 2000, 
and the .NET Framework. Because the Microsoft stack delivered 14% faster 
transaction rates and 24% better TCO, CheckFree chose the Windows’ platform 


for the next generation of their Investment Services platform. 


To get the full case study, other case studies, and other third-party findings, 


go to microsoft.com/getthefacts 


/@) 
ae 
Windows 
Server System 


Microsoft* 


© 2005 Microsoft Corporation. All rights reserved. Microsoft. Windows, the Windows logo, Windows Server, and Windows Server System are either registered trademarks or trademarks of 
Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 





SDLT 600 Results : 


Taste : a Speed : [4 Manageability : [A 
High Capacity : 4 WORM : [>A Compatibility : A 


In a blind taste test, the SDLT 600 was found to be less than appetizing. Test subjects’ 
comments included, “if there is a hell, this is the food.” Scientists have agreed to conduct 
the next round with condiments. As for data backup abilities, it passed with ease. The 
SDLT 600 has more capacity and more speed than LTO-2 and AIT-3. It also includes 
DLTSage™ diagnostic management software and DLT/ce™ archival WORM functionality. 
How do we know? It's been tested. For more info and to see the whitepaper, visit DLTtape.com. 
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Rounding Up 

Business Rules 

Organizations are finding that business rules 
engines and management systems can automate 
enforcement of the rules necessary to make 
processes run smoothly. IT leaders such as 
Donna Ramos-Johnson explain how. Page 24 


SECURITY MANAGER'S JOURNAL 
Protecting Consumer 

Data on the Cheap 

A mandate to protect personal data in the 
state agency's databases isn’t accompanied 
by any extra funds, so C.J. Kelly has to come 
up with an inexpensive way to do it. Page 30 


Vulnerability management 
technology allows 
companies to choose 
which threats are most 
urgent and which IT assets 
take priority for protection. 


FUTURE WATCH 

Coming: Sensors and 

Pixels Everywhere 

Accenture’s Anatole Gershman discusses 
ongoing work on intelligence technol- 
ogies that are aimed at connecting IT sys- 
tems with the physical world. Page 34 


LOYD HESSION has a simple phi- 
losophy for dealing with vul- 
nerabilities on his company’s 
network: Know which ones 
we to be fixed right away and 
which can be safely put off for later. 

The sheer number of vulnerabilities 
that can exist on a network make it 
impossible to address all of them at 
the same time without serious disrup- 
tion, says Hession, chief information 
security officer at Radianz, a New 
York-based provider of network con- 
nectivity services to financial firms. 

So the key is to have a formal vul- 
nerability management process to 
identify problems, categorize them by 
severity and prioritize responses, he 
explains. 

“It’s all about arriving at some sort 
of a risk determination and figuring 
how seriously you need to address it,” 
he says. “The days of people running 
out and patching everything are over.” 

Hession isn’t alone. Finding out 
what to protect on the network and 
how much protection is needed is sud- 
denly becoming a lot more important 
to companies than it was even two 
years ago, says Scott Crawford, an ana- 
lyst at Enterprise Management Associ- 
ates in Boulder, Colo. 

The never-ending barrage of soft- 
ware vulnerability announcements 
and the constant, sometimes compet- 
ing, need to fix them is pushing com- 
panies to look for more efficient ways 
to deal with the problem, he says. 

Instead of rushing to apply costly 
fixes to every flaw that’s announced, 
the goal is to take a more selective ap- 
proach by prioritizing threats, adds 
Crawford. 

“Vulnerability management tools 
are going to be in great demand where 
exposure to external risk is high,” 
Crawford says. That’s because the 
tools are designed to impose order on 
a process that has, in the past, simply 
been urgently reactive. 

There are several components to a 





22 COMPUTERWORLD May 23, 2005 


vulnerability management process, 
users say. Fundamental to the effort 
are vulnerability assessment scans. 
They help companies discover net- 
work assets and any software holes or 
configuration errors that might exist 
in them. 

Vulnerability and asset classifica- 
tion, as well as risk metrics, are needed 
to help companies prioritize responses 
to the threats. 

Mitigation and blocking measures 
may be needed to deal with some 
threats for which software updates or 
other fixes may not be immediately 
available. And monitoring and m 
surement processes are crucial to en- 
sure that fixes and changes that have 
been made remain in place. 


Detection and Remediation 


A good management process helps 
companies identify and remediate 
the network vulnerabilities that really 
matter, says Derek Milroy, a security 
architect at Career Education Corp. 
(CEC), a $1.73 billion company in 
Hoffman Estates, Ill., that runs post- 
secondary education programs. 

A vulnerability management system 
allows companies to collect informa- 
tion on and understand various threats 
to corporate networks, and it shortens 
the reaction time needed to deal with 
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them, he says. Also important, it en- 
ables IT administrators to focus their 
time and resources on only the prob- 
lems that need fixing, Milroy says. 

“It really is the core central instru- 
mentation that enables a security func- 
tion to operate within the organiza- 
tion,” says Robert Garigue, chief infor- 
mation security officer at the Bank of 
Montreal in Toronto. 

Radianz has adopted several mea- 
sures for managing vulnerabilities on 
its networks and systems. The compa- 
ny doesn’t do too many routine vulner- 
ability scans, Hession says. But when it 
does, it looks for known software holes 
as well as configuration errors, rogue 
machines and services that could be 
exploited, he says. 

Radianz has also classified its sys- 
tems into various groups depending on 
their importance to the organization. 
Critical financial and human resources 
systems and those belonging to senior 
executives, for instance, get fixed 
faster than those that aren’t as impor- 
tant. Most of the company’s desktops 
have host firewalls for detecting and 
blocking intrusions at the client level. 

“This way, even if there are any vul- 
nerabilities on those systems, they are 
not directly exploitable because of 
the fact that the personal firewalls 
are blocking it,” Hession explains. 
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“It buys you some time to go out and 
patch systems.” 

Asset and response prioritization is 
a key aspect of any vulnerability man- 
agement strategy, Milroy says. 


Categorizing Assets 

For the past nine months, CEC has 
been using an on-demand service from 
Qualys Inc. to perform asset overy, 
asset prioritization, vulnerability as- 
sessment and analysis as well as reme- 
diation. 

Like many other companies, CEC 
has organized its network assets into 
multiple security categories. It rates 
those categories from 1 to 5 depending 
on their importance to enterprise op- 
erations. Data center servers and those 
running crucial databases and rev- 
enue-generating applications, for in- 


You need to have a 
good quantitative 
understanding of what 
the tools are trying to 
tell you before you go 
to the business side and 
ask them to fix things. 


ROBERT GARIGUE, CISO, BANK OF MONTREAL 
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stance, are considered Category 5, 
while some rarely used file servers 
might be a Category 1. 

Similarly, vulnerabilities are color- 
coded depending on their severity, 
with red being the most critical. CEC 
runs weekly vulnerability scans of its 
network and prioritizes its responses 
based on asset importance and vulner- 
ability severity. 

A vulnerability in a database server 
that can be remotely exploited or for 
which a worm already exists might be 
assigned a Red 5 rating, which means 
that it needs to be fixed immediately, 
Milroy says. 

In some cases, a serious vulnerabili- 
ty might exist in a critical system but 
there may be no immediate threat di- 
rected against it, in which case it may 
be better to do a more planned remedi- 
ation rather than risk the disruption of 
an immediate fix, he says. 


Realistic Strategies 

CEC largely depends on vendor classi- 
fications to determine the severity of 
vulnerabilities, but it also uses its own 
internal filters and analysis to deter- 
mine whether an issue is really critical. 

“I’m trying to keep it realistic. All 
you really care for are the Category 5 
vulnerabilities,” Milroy says. “Can you 
root the machine? Can it get hit by a 
worm? Is it remotely exploitable?” 

Key to a good vulnerability manage- 
ment strategy is an understanding of 
the various interdependencies that ex- 
ist between systems on your network, 
says Ed Cooper, vice president of prod- 
uct management at Skybox Security 
Inc., a Palo Alto, Calif.-based vendor of 
risk management software. 

Sometimes, for instance, fixing the 
problem on a single upstream server 
or router may be all that’s needed to 
mitigate the risk posed by a vulnerabil- 
ity on multiple servers, he says. 

Knowing precisely which holes to 
close on which server or workstation 
can tremendously reduce response 
times and help focus effort on the real 
threats, Cooper says. 

Skybox offers a tool that allows a 
company to build virtual models of its 
entire network that it can use to simu- 
late attacks and understand the poten- 
tial consequences of vulnerabilities. 

Often, the risk a vulnerability poses 
to a system might need to be balanced 
against the potential business disrup- 
tion or revenue loss that might result 
from taking the system down to fix it, 
says David Giambruno, director of 
strategic infrastructure and security 
at Pitney Bowes Inc., a $5 billion mail 
and document management firm 





www.computerworld.com 








based in Stamford, Conn. 

Software patches and mitigation 
approaches can sometimes interrupt 
needed services or functions on core 
systems, causing problems that ripple 
throughout the business. 

In such cases, it’s a good idea to have 
an “exceptions management” process 
under which some sort of compensat- 
ing controls are put in place. It’s also a 
good idea to make business owners 
aware of all potential risks and have 
them sign off on it, Giambruno says. 

The complexity of modern networks 
makes it vital to have tools for auto- 
mating the discovery and remediation 
of assets and vulnerabilities at the net- 
work, application and database levels, 
Giambruno says. 

For example, Pitney Bowes is using a 
service from McAfee Inc.’s Foundstone 
Inc. business to scan its networks for 
vulnerabilities once a week. 

A real-time patch and configuration 
management tool from BigFix Inc. in 
Emeryville, Calif., helps Pitney Bowes 
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quickly test and deploy patches across 
its global infrastructure in less than an 
hour if needed. 

A database-scanning tool called 
AppDetective from Application Secu- 
rity Inc. in New York helps Pitney 
Bowes scan for and discover any 
vulnerabilties that might exist in 
the database. 


Mandate to Act 


Vulnerability management tools and 
practices can provide a lot of good in- 
formation about the risks companies 
face, but they raise their own chal- 
lenges, users say. 

“Vulnerability assessment gives you 
this view of the entire organization. 
Then you've got to analyze the results 
and ask yourself, ‘What have I seen? 
What does it mean, and who is respon- 
sible for fixing it?’” says Garigue. 

“You need to have a good quantita- 
tive understanding of what the tools 
are trying to tell you before you go to 
the business side and ask them to fix 
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things,” Garigue says. “If not, you are 
going to end up with a lot of cross 
talk.” 

Desktops and other client devices 
pose big security risks, but scanning 
them for vulnerabilities can be chal 
lenging because they are so portable, 
says Amy Hennings, assistant director 
of information security at George 
Washington University in Washington. 

In the university’s case, it made per- 
sonal firewalls freely available to desk- 
top users as part of a bid to improve 
security. Ironically, those firewalls are 
now making it difficult to perform 
vulnerability scans on the systems, 
Hennings says. 

“The key thing to remember is that 
IT has limited resources,” Radianz’s 
Hession says. “So it’s all about priori- 
tizing and acknowledging that there'll 
always be some trade-off issues.” 

At the same time, though, try to keep 
it simple. “You don’t want to make it 
overly complicated,” Hession says. 
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of Washington's office of the CTO used a business rules engine to determine residents’ eligibility for aid programs. 
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Do you know 
where all of 
your compa- 
ny’s business 
rules are? 


Most enterprise users are surprised 
to discover how many important — 
and not-so-important — rules, regula- 
tions, policies and procedures are scat- 
tered all around the organization. For 
example, last year’s marketing manual 
has guidelines for creating advertising 
campaigns; equations for calculating 
employees’ health and retirement ben- 
efits are embedded in Cobol code; and 
best practices for writing software 
code reside only in the minds of senior 
developers, since no one has been 
asked to write them down. 

In older, slower eras, this diffusion 
of policies and rules wasn’t such a big 
problem. But business and IT execu- 
tives find themselves under greater 
pressure than ever to adapt to rapid 
changes in the market and in govern- 
ment regulations — as well as to oper- 
ate at maximum efficiency. As a result, 
they are looking to round up these 
renegade rules and put them someplace 
they can be easily accessed, updated 
and applied to business processes. To 
do that, they’re turning to business 
rules engines — execution environ- | 
ments and repositories for business 
rules — and management systems. | 

| 





CATCHING ERRANT CLAIMS 

A case in point: The District of Colum- 
bia provides financial assistance to 
needy residents, some of whom also 
qualify for Medicaid or other federal 
programs. Recently, managers work 
for the district discovered that the lo- 
cal aid program was often getting the 
bill for services that should have been 
covered by federal programs. If an 
employee failed to catch such errors, 
it would be a costly misapplication of 
the rules. 

To catch more of the bad claims and 
more quickly process legitimate ones, 
the district began developing its Auto- 
mated Client Eligibility Determination 
System. The new system relies on 
ILOG Inc.’s ILOG Rules business rules 
engine to determine eligibility for D.C. 
and federal programs. It asks appli- 
cants a series of questions — much 
like a TurboTax automated tax pro- 
gram does — and then prints out com- 
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pleted applications for the programs 
for which they are qualified. 

The ILOG engine, which is accessi- 
ble to anyone with a Web browser, has 
a very high accuracy rating — 99%, ac- 
cording to Donna Ramos-Johnson, as- 
sociate director at Washington’s Office 
of the Chief Technology Officer. That 
delivers better performance than the 
legacy system, which is an IBM main- 
frame running an Adabas/Natural 
database that was used internally 
for claims processing and financial 
transactions. 

Ramos-Johnson says more federal 
programs will be added to the rules 
repository, which will eventually be 
used by the legacy system as well. “We 
expect to have the major federal pro- 
grams online by September,” she says. 


WHO NEEDS THEM 

Rules engines have been around since 
the early 1990s when companies such 
as Pegasystems Inc. in Cambridge, 
Mass., Fair Isaac Corp. in Minneapolis 
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and ILOG in Mountain View, Calif., 


| sold them. They were typically used in 


rules-heavy industries such as finance 
and insurance. Over the past few 
years, however, many vendors have 
entered the market, and more compa- 
nies are looking at rules engines as a 
way to gain greater flexibility in busi- 
ness operations. 

“What’s driving new interest in 
business rules is the need for business 
agility,” says David Kelly, president of 


Upside Research Inc. in Newton, Mass. 


“Companies need to be able to create 
applications and business processes 
that can adapt rapidly to marketplace 
demands.” 

Rules engines provide this kind of 
flexibility by making it possible to edit 
the steps, or rules, of a business proc- 
ess. Traditionally, those steps have 
been coded into the application. But 
with a rules engine, they can be writ- 
ten in a natural-language authoring 
language and stored separately in a 


| managed repository. Applications are 


and then it hits you:// 


__ TECHNOLOGY — 


A BUSINESS RULES ENGINE is only as 
good as what's in it. And the first step of 
any business rules project should be to 
identify all of the rules in your organiza- 
tion, according to Ladd Bethune, senior 
technical consultant at Lambert Technical 
Services LLC in Lebanon, Conn. 

Once you've identified and extracted 
your existing rules, and before you 
transfer them into a business rules en- 
gine, you need to evaluate the quality of 
the rules, says Bethune. They may need 
to be edited or rewritten in order to make 
them sustainable for the long term. 





HOW MANY FORMER EMPLOYEES 


CAN STILL ACCESS YOUR COMPANY’S 


INFORMATION? 
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then instructed to access the rules en- 
gine, and the rules themselves can be 


| updated quickly by semitechnical 
| users rather than programmers. 


Also, notes Kelly, business rules sys- 


| tems can help companies prove com- 

| pliance with government regulations 

| by providing an audit trail of proce- 

| dures and changes to those procedures. 


| LIVING WITH LEGACY APPS 

| Legacy applications are one major rea- 
| son organizations are turning to rules 
engines. When companies have many 

| rules embedded in legacy code, mov- 

| ing them to a rules engine enables 


users to make changes without having 
to constantly rewrite code. 

Sterling, Va.-based First American 
Field Services, which provides proper- 


| ty inspection and maintenance ser- 
vices to banks, turned to rules manage- 
| ment after it reached an impasse with 

| its legacy system. 


“It was so spider-webbed, there was 


| custom code for each of our clients, 


Novell 


find out more at novell.com 





26 cowpurexwortn way 25, 2005 


and it was just so difficult to change,” 
says Mark Davis, development manag- 
er for MIS at First American. 

Three years ago, First American be- 
gan developing a property inspection 
and maintenance system using Fair 
Isaac’s Blaze Advisor rules engine. 
That application is linked to a DB2 
database and Visual Basic .Net work- 
flow engines that consult the rules en- 
gine to determine a course of action, 
such as what service to order. Rules 
are edited via an English-based author- 
ing language and Fair Isaac’s Visual 
Ruleflow Editor, with drag-and-drop 
icons for graphically creating business 
processes. 


UTE m sa cmm Teme Cra (eit 
of technology research ser- 
vices at Gartner Inc., says 


typically have tir) 
following features: 


Guidelines for identifying 
and documenting rules 


A graphical user interface 
for authoring and editing 
the rules 


Visualization of the process 
flows created by multiple 
rules 


Rule testing and debugging 


Integration with other 
development applications 


Rules-mining capability 
to harvest rules from 
legacy systems 


A rules repository 


Support for role-based 
access by different users 


Co elele treme lt cla TLLT¢] 
fered ere Lay Leas 
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Rule consistency checks 
to ensure accuracy and 
enable rules reuse 
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“It’s very easy to make changes 
now,” says Davis. 

Brian Stucky, the “enterprise rule 
steward” at New York-based Freddie 
Mac, also credits business rules man- 
agement with simplifying the process 
of changing rules. Managing policies 
became much easier after the federally 
chartered mortgage lender replaced a 
legacy system with an application tied 
to an ILOG JRules engine. 

“We have a huge number of business 
rules. Before, to make a change, we’d 
have to get a mainframe guy to find the 
rule, make the change, retest the sys- 
tem, put it back into service,” Stucky 
says. “It was such a lengthy procedure 
that we often waited until we had sev- 
eral changes to make. Now we can sup- 
port rapid change in rules as needed.” 

Other companies are also using rules 
engines to improve operating efficien- 
cy. AMR Inc., a national medical trans- 
portation company in Greenwood Vil- 
lage, Colo., uses a rules engine to man- 
age its fleet of vehicles more cost- 
effectively. 

“Before, if someone needed trans- 
port to get an X-ray, we might send out 
the most expensive rig — an advanced 
life-support system — and transport 
them to the hospital at a high cost,” 
explains Mark Kalevik, a software en- 
gineering manager at AMR. Now the 
company relies on CleverPath Aion 
Business Rules Expert from Computer 
Associates International Inc. to deter- 
mine which type of vehicle to autho- 
rize and how quickly it must respond. 


DRIVEN BY BPM AND SOA 
Interest in business process manage- 
ment (BPM) is also driving interest in 
business rules. 

“Business rules engines 
are becoming an important 
part of other solutions, such 
as business process manage- 
ment,” says Kelly, noting 
that it’s common for BPM 
vendors to partner with 
rules engine providers. 

Another complementary 
trend is the increasing use 


our Web site 


| Web services and service- 

| oriented architectures. When building 
| an SOA framework, organizations are 
| adding a business rules layer to go 


along with the business logic, work- 


| flow and data layers. 


Chicago-based Promissor Inc., a 
provider of educational testing and 


| licensing services, is developing just 
| such an SOA. The company created 


a registration system that could be 
used remotely by on-site registrars 
with laptops or handheld devices for 


VENDORS AND 
PRODUCTS 


For a list of rules engines and 
business rules management 
systems vendors, visit 
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| Pa.-based Haley Systems Inc.’s Haley- 


www.computerworld.com 


Advise or Control 


James Sinur, an analyst at Gartner 
Inc., explains that rules engines are 
used either to control transactions and 
processes or to provide advice and 
analysis. 

“About 50% of business rules en- 
gines are used in an advisory role: 
‘Should | do this or that?’ The other 
50% are used in business processes,” 
he says. 

According to Sinur, there are three 
categories of rules systems. 


1. SIMPLE RULES EXTERNALIZATION 
This system allows an organization to 
express its rules in a standard format, 
house them in a repository, view them in 


decision trees or tables, and edit them 
as needed. 


2. INFERENCE ENGINE. If the questions 
you need to put to a rules engine tend to 
be more sophisticated than simple “yes” 
or “no” equations, then you may need 
an inference engine, which uses proba- 
bilities and backward chaining through 
the rules to discover multiple possible 
solutions to the same end. 


3. BEHAVIORAL LEARNING. These ad- 
vanced systems use case-based rea- 
soning and are “trained” to recognize a 
variety of scenarios. 

~ Sue Hildreth 


a eeeereeeenenneell 


screening and registering test appli- 

cants. To make the system more acces- 

sible by handhelds in remote locations, 

Promissor built the application using 
leb services. 

“We’ve rearchitected, with the rules 
engine as the cornerstone,” says Robert 
Crouch, vice president of IT at Promis- 
sor. The company selected Sewickley, 


Rules engine and HaleyAuthority 
rules-authoring tool to create and 
manage the registration rules. “The 
Haley engine is light enough to load on 





| a PDA, so we do not need Internet 


connectivity to operate,” Crouch says. 
Promissor preferred Haley’s natural- 
language interface, which 
enabled business users to 
easily edit rules. It also 
liked Haley’s small foot- 
print, says Crouch. 
Options for viewing and 
editing rules can be impor- 
tant. Users may want to 
work with rules via a deci- 
sion table, a decision tree 
or some other format that 


they’re familiar with. 
Cesar Gomez, manager of systems 


| Operations and application develop- 


ment at Horizon Casualty Services 
in Newark, N,J., especially likes the vi- 
sual features of the RulesPower prod- 
uct from RulesPower Inc. in Burling- 
ton, Mass., which Horizon installed as 
part of a new bill-processing program 
last year. 

“What impressed us was the visual 
diagramming of the workflows,” Gomez 


says. “It’s like an interactive Visio 
screen. It gave the business people the 
ability to visualize how the business 
rules flowed within the program.” 
Horizon’s RulesPower-based bill- 
processing application has enabled the 
firm to reassign three of its six bill 
processors to handling exceptions — 
nonstandard claims that require hu- 
man scrutiny — and to substantially 
reduce its backlog of claims. The use 
of a rules engine has even cut the cost 


| of processing a claim by 30%, accord- 


ing to Gomez. 


| USER-FRIENDLINESS 


What matters in a rules management 


| system, says Barnes, isn’t the list of fea- 
| tures; it’s how user-friendly it is to 


nontechnical people. Most organiza- 


| tions buying rules engines today want 
| their business managers to be able to 
| create and edit their own rules. 


“The real differences, and the real 
areas for improvement, have to do with 
usability,” says Barnes. He suggests 


| that businesses begin by evaluating 


how easy it is for users to formulate 
business rules with the product. 

“The value proposition of a rules en- 
gine is the ability to manage business 
rules, and those rules should be de- 


| fined by business people,” Barnes says. 


“Unfortunately, many products are still 
too immature and too technical at this 


point.” @ 54280 


Hildreth is a freelance writer in 
Waltham, Mass. She can be reached 
at Sue.Hildreth@comcast.net. 
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ClO Discusses IT Methods for Mergers 


BY ROBERT L. MITCHELL 

Ed Kamins, CIO of $10 billion 
computer systems distributor 
Avnet Inc. in Phoenix, recently 
spoke to Compterworld about 
the challenges posed by multi- 
ple mergers and massive IT 
consolidation projects. 


You're restructuring your IT infra- 
structure. Can you give examples 
of what you're doing? We had 
nine ERP systems in various 
places around the world. To- 
day, we are fundamentally 
down to four and continuing 
to consolidate. By the first of 
the fiscal year [in July], we 


will be entirely on SAP in Asia. 


Why did you have so many ERP 
systems? When you make 45 
acquisitions and you have far- 


flung enterprises across the 
world, you have brought with 
those acquisitions some very 
talented and capable people 
and the systems they worked 
on. It’s probably not prudent 
to start by wiping everything 
out. But over time, there’s a re- 
lentless pressure [to improve 
profit margins]. Part of the so- 
lution is more and more effi- 


cient operations. 


| What hardware and soft- 

| ware defines your IT infra- 
| structure? IBM and HP 

| are the backbone of 


what we do. On the 
software side, we had 


| implemented SAP in 


Europe. We got in very, 


| very early, so it was a 


very steep learning 


| curve and development proc- 
ess for us. That curve has 
smoothed itself out quite nice- 
ly now so that we’re deploying 
SAP in Asia. We have a home- 
grown system here in the U.S., 
and there is part of Europe 


that has a homegrown system. 
We use SAP for finance, for 

| example; we use the SAP HR 
| module. We're using their 
| global trading system for ex- 
port compliance. Our 
architecture allows us 
to bring in the best in a 
category and marry it 
up with the rest of the 
applications. 


ad 


id 


What major projects have 
you worked on? We had 
about 750 servers [when 
I arrived]. The average 


and then it hits you:// 


utilization of those was some- 
where between 10% and 15%. 
We did a server consolidation, 
and today we have about half 
as many servers that are far 
more efficiently utilized. 


What technologies did you use to 
do that? It’s an evolving proc- 
ess. We had enough servers 
The connectivity of those 
servers is something we tried 
to be smart about. But there is 
a whole series of steps going 
forward that will get us to a 
true shared-service kind of en- 
vironment. I’m very interested 
in the grid concept. 

Step 1 was to reduce the 
number of servers, put more 
applications on a box. Step 2 is 
optimizing the boxes to make 
sure we don’t have vulnerabil- 
ity points. Step 3, which is yet 
to come, is something that will 
look like a grid of systems in 


RIGHT NOW YOUR COMPETITORS 


ARE DISCOVERING LINUX, TOO. 
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which multiple systems could 
pick up the slack when one 
system fails or is overloaded. 


Are there other initiatives besides 
grid that you’re excited about? | 
think that that which makes it 
simpler for the user makes it 
more productive for every 
body. I want an environment 
where everything that faces 
the user is Web-like and intu 
itive. I just got back from a 
seminar [that] IBM put on, 
and I heard a lot about blogs. 
What I was interested in was 
the communication methodol 
ogy using the Internet and 
how that applies internally in 


the business. @ 54448 


KAMINS CONTINUES 


more of this interview 

our Web site 
Quicklink 54505 
www.computerworld.com 








PAY MORE ATTENTION TO SERVERS 
BEFORE YOU BUY THEM. 


90 YOU CAN PAY LESS ATTENTION 


iw 


(xSeries 236 Express 


Designed to improve 
performance and availability, 
with a range of features 
such as redundant hot-swap 
power and cooling. 


System features 


two Intel Xeon 
sors 3.60GHZz 


wer with 


$2,989* 


IBM Financing Advantage 
$82 


IBM eServer xSeries 346 Express 


Help maximize performance 
and improve availability in a 
rack dense environment with 
Xtended Design Architecture 
Includes features like Calibrated 
Vectored Cooling, an IBM 
innovation that helps to keep 
your system cool and improve 
uptime. 
System features 
) Intel Xeor 
sors 3.60GHz 
way 2U rack ser 
16GB DDR2 memory 
ising 8 DIMM slots 

Calibrated Vectored Cov 
D 


IBM Director 


Limited warranty: up to 3 
y t 


Years OF te 


$3,999* 


IBM Financing Advantage 
$108 ; 


IBM TotalStorage DS300 Express 


IBM eServer xSeries 366 Express 


With the power of 3rd generation 
Enterprise X-Architecture,” it sets 
a new standard for 4-socket, 
64-bit servers. Delivers increased 
performance, systems manage- 
ability, and simultaneous support 
for 32 and 64-bit apps. 


System features 


Up to four 64-bit Ir 


MP 3.66GHz 


Processors 


$13,779* 


IBM Financing Advantage 
$379 


System features 


Entry-level, cost-effective SCSI storage systems 3U rack-n 
designed to deliver advanced functionality at a 
breakthrough price. Provides an exceptional 


solution for work group storage applications, such q,_,. . ; 


584GB 


as e-mail, file, print, database and Intel Xeon 


Processor-based servers. 


$5,355* 
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IBM eServer BladeCenter HS20 Express 


Designed to support the Intel 
Xeon Processor and packed 
with high-availability features, 
the eServer BladeCenter 
HS20 with industry-leading 
modular design delivers density 
without sacrificing processor 
performance. 


System features 
Intel Xeor 
ors 3.60GHz 


IBM Directo 
Limited warranty 


years on-site 


$2,589* 


IBM Financing Advantage 
$71 


IBM Financing Advantage 
$147 | 





TO THEM AFTER. 


With IBM® Express Servers and Storage™ 
designed for mid-sized businesses, help is here. Z& THE WORLD’S HELP DESK 


You've already got a Zillion things that require your 
attention — you shouldn't have to worry about your systems. Learn more about our full 
That's why IBM Express products offer enhanced reliability, 


A ; 
which helps them do their job so you can focus on yours ne of TON Express 


products. And find me 
Take IBM Director, for example: It proactively notifies you 
of a potential problem —up to 48 hours in advance. Or our Tem Business Partner 
Calibrated Vectored Cooling feature available on select near you - wno is TBM 

Rae 

xSeries systems. It cools your system more efficiently. trained to Know Which 
This means more features can be packed into a smaller 
server. Giving you more functionality and greater flexibility. 


systemS meet your specific 


fe requirements. 
It's just an example of our self-managing features that help a 


trol ; | : 
you take back control of your IT. Wh ch can heip lower ibm.com/eserver/helpisheret 
your maintenance costs, too. Because with IBM Express 


Servers and Storage, innovation comes standard. It's not 1 _ 8 00- | R M -[/717 


optional. Plain and simple, it’s built in. mention 104CEO1A 


There’s also one more great feature — your IBM Business 

Partner. Which means you can have a one-to-one chat © 
with someone who understands your industry and your oe 

business —and who's located in your neck of the woods. 
And for mid-sized businesses, that’s really big help ina 
really big way. 


HELP FOR ANY SIZE PROBLEM 


IBM TotalStorage DS400 Express System features 


With advanced functionality, the DS400 provides 2GB Fibre Channel storage 

an exceptional solution for work group storage systems area network (SAN 

applications. It supports Intel Xeon Processor- 3U rack-mount entry 

based servers and offers Fibre Channel drives 

designed for high performance, and hot-swap 

Ultra320 SCSI drives designed for high reliability. $8,495* IBM Financing Advantage 
$234 


eve 


Starts at 584GB / Scales to 5.8TB 
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Consumer 


Data on the Cheap 


A mandate to protect individuals’ personal 
data in the agency’s databases isn’t accom- 
panied by any extra funds. By C.J. Kelly 


N MY LAST COLUMN 
{QuickLink 53861], I dis- 
cussed how I was called 
upon to do a fiscal-impact 
analysis of a privacy bill that 
was going before our state leg- 
islature. The bill is expected 
to pass soon and become law. 
And when that happens, state 
agencies like the one I work 
in, as well as private business- 
es, will be held accountable 
for any disclosures of 
individuals’ personal 
information. 

Despite my conclu- 
sion that complying 
with this law would 
require several hun- 
dred thousand dollars 
for just my agency, we and 
other state agencies might not 
receive any additional funds to 
comply with the mandate. So 
how do I go about protecting 
all the personal information 
that resides in our databases 
and servers and traverses our 
network? 

No single hardware device 
or software application will be 
adequate. My best option is to 
use open-source tools and ex- 
isting hardware to configure 
and install an intrusion-detec- 
tion system. The IDS will let 
us monitor network intrusions 
and attacks and investigate the 
possibility of data such as So- 
cial Security numbers leaving 
or traversing our network in 
plain text. At least it’s a start. 


Do-it-Herself 

In all my previous, private- 
sector jobs, I managed the 
people who configured and in- 
stalled such systems. Although 
I have analyzed the data from 
these systems, correlated the 
information with output from 
other sources, given direction 


SECUR 
MANAGER'S 
JOURNAL 


| to staff and approved plans re- 
| lated to the placement of net- 
| work taps, network monitor- 
ing appliances, firewalls, VPN 
| concentrators and other secu- 
rity devices, I have never built 
such a device with my bare 
hands and put it into produc- 
tion. I am unaware of anyone 
within the state system who 
has walked down this path be- 
fore. But that could be a case 
of the right hand not 
knowing what the 
left hand is doing; 
state agencies are 
fairly autonomous, 
and while efforts are 
currently under way 
to improve collabo- 
ration and the pooling of tal- 
ent in the security arena, there 
doesn’t appear to be a strate- 
gic plan. So people like me 
just muddle along, trying to do 
the right thing. 

I’m a bit hesitant. Can I do 
this? To master the software I 
have selected — Red Hat Inc.’s 
Fedora Core 3, Snort, MySQL 
and BASE, as well as Apache, 
SSL and PHP — I will have to 
rely on my little-used *nix 
(Unix and Linux) skills, as 
well as white papers and how- 
to articles written by those 
much more experienced than 
me in the nuts and bolts of all 
this. I can also consult news- 
groups and call on many 


| have never built 
such a device with 
my bare hands and 
put it into production. 


ITY 








| friends and colleagues. And I 
| know that help will be readily 


available from the open- 
source community, perhaps 
the most collaborative group 
of people on the planet. 

For those of you unfamiliar 
with these particular pieces 
of software, here’s a short 
primer: Fedora Core 3 is Red 
Hat’s free distribution of Lin- 
ux. Snort can be described as a 
lightweight network IDS capa- 
ble of performing real-time 
traffic analysis and packet log- 
ging for IP networks. (“Real- 
time traffic analysis” is a bit of 
a misnomer. The type of IDS 
I intend to build is a passive 
system; it will watch network 
traffic and be able to send 
alerts when rules are violated, 
but it will depend on a human 
being to watch for the alerts 
and react accordingly. In con- 
trast, an intrusion-prevention 
system sits in-line and either 
passes or denies traffic based 
on a configurable rule set.) 

Snort can also perform pro- 
tocol analysis and content 
searching/matching, and it 
can be used to detect a variety 
of attacks and probes, such 
as buffer overflows, stealth 
port scans, Common Gateway 
Interface attacks, Server Mes- 
sage Block probes and operat- 
ing system fingerprinting at- 
tempts. It uses a rules-based 
language to describe the traf- 
fic that it should be collecting, 
and it has a real-time alerting 
capability. 

MySQL is a multiuser, 
multithreaded SQL database 
server that comes bundled 
with Fedora. 

PHP, a widely used general- 
purpose scripting language 
that’s well suited for Web 
development, and Apache 
Web server software (utilizing 
SSL — Secure Sockets Layer 
— for security) are available 
with Fedora Core 3. 

BASE, for Basic Analysis 





| and Security Engine, is based 

on the Analysis Console for 

| Intrusion Databases (ACID) 
project code and is now rec- 
ommended as a replacement 
for ACID. This application 

| provides a Web front end to 

| query and analyze the alerts 

| coming from the Snort IDS 

| system. 

Once I decided on the soft- 
ware, I had to find hardware 
| capable of running it and per- 
forming the network monitor- 
ing and analysis. I had to take 
| what I could get, though. I 
| found a Dell desktop that 
wasn’t in use. It had an 80GB 
hard drive, 256MB of RAM, a 
Gigabit Ethernet network card 
and a 1.6-GHz CPU. From 
what I have read, this should 
be adequate, but there’s no 
| way of knowing until the sys- 
tem is tested in real time. 

I decided to concern myself 
only with intrusion monitor- 
ing for headquarters and not 
the branch offices, simplifying 
the number and placement of 
sensors. I had already request- 
ed that a span (mirrored) port 
be configured on the primary 
switch, and I tested it using 
Ethereal packet analysis soft- 
ware. I know this isn’t the per- 
fect scenario, but again, it’s a 
start and better than nothing. 

Before beginning the soft- 
ware installations, I looked for 
a how-to guide (instead of my 
usual approach, which in- 
volves installing software, 
making mistakes, reinstalling 
and so forth). The fellow who 
wrote the guide, Patrick Harp- 
er, will surely hear from me, 
since he states that his docu- 
ment is for the “Linux newbie, 
as well the Snort newbie.” I 
will let you know how this 
turns out in a couple of weeks, 
and I challenge any interested 
security managers to do this 
with me — all by yourselves. 
Don’t let the engineers have 
all the fur. D 


WHAT DO YOU THINK? 


This week's journal is written by a real 
security manager, “C.J. Kelly,” whose 
name and employer have been disguised 
for obvious reasons. Contact her at 
mscjkelly@yahoo.com, or join the dis- 
cussion in our forum: QuickLink 21590 


To find a complete archive of our 
Security Manager's Journals, go online to: 


| @computerworld.com/secjournal 











See I|.D. theft as it happens. 


Identity theft happens from databases. Traditional security solutions cannot detect it. If someone 
is stealing sensitive data, you won't know until it’s far too late to do anything about it. Tizor’s activity 


monitoring solution with Behavioral Fingerprinting™ technology detects ID theft in real time. So you can 


see it and stop it right away. There’s no better way to safeguard your critical 


information and hard-earned reputation. t i 7 rr” ed 
To learn more, go to tizor.com/idtheft or call 978-823-5168. ew 
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COMING: 


SENSORS 
AND PIXELS 
EVERYWHERE 


} Businesses and customers will share these 
ears and eyes. BY LINDA ROSENCRANCE 


ee ee ee ee ee ee ee ee ee 


Global director 
of research 


EYee ed 
Technology Laboratories, 
the Chicago-based 
technology research and 

a development unit of 
Accenture Ltd. 

Gershman spoke recently with Com- 
Tn a gem te een ee RUA 
for the future of technology, which in- 
cludes interactive grocery carts and 
the ability for your wardrobe to com- 
municate with stores. 


What are the three main trends that will 
be driving business applications over the 
next three to five years? If you look 
three to five years out, the underlying 
technology trends that . . . will contin- 
ue to drive innovation are: 

1. The rise of intelligent sensor 
networks. 

2. The rise of scalable intelligence 
techniques — all the techniques that 
can analyze the data that is coming 
from all the sensors and could lead to 
useful business insight. 

3. The rise of technology that en- 
ables you to be and act “there” from a 
distance and cope with lots of informa- 
tion, and it will be driven by pixels. 
We're going to have very inexpensive 
pixels everywhere — we see it in cell 
phones. 

Those are technologies that enable 
us to sense — intelligent sensor net- 
works; to think — technologies that 





enable our systems to think, which 
is scalable intelligence; and technol- 
ogies that enable us to act on all this 
intelligence. 


What are the business applications of 
these trends? Our vision of the busi- 
ness implications of these trends is 
what we call Reality Online — a con- 
nection between the physical world 
and the world that is reflected in our 
systems, so now technology will en- 
able us to connect to physical realities 
and see them in real time, and for them 
to be reflected in our systems in real 
time so we can act on them in real 
time. I think Reality Online is going to 
revolutionize relationships between 
customers and enterprises. 


| How will Reality Online do that? Let's 


take an example of shopping for gro- 
ceries. Supermarkets already collect a 
lot of information about their cus- 
tomers, using loyalty cards and check- 
out information, but they don’t do 
much with that information today. And 
the customers don’t get much benefit 
from this information. 

Although some supermarkets are 
already experimenting with smart 
shopping carts, they don’t do much 
with them except to show customers 
some advertising and, in some stores, 
customers can use those carts as self- 
checkouts. A smart shopping cart is a 
cart with a little screen attached to it 
and with a wireless connection so 
with that cart, the supermarkets can 
actually communicate with a customer 
in real time. 

Accenture built a prototype ... that 
creates a model of a particular cus- 





tomer, say, Mrs. Jones, so we can 
create an exact model of Mrs. Jones 
with her exact shopping habits — 
what did Mrs. Jones buy, when did 
she buy it? 

We can use this model to predict 


exactly what Mrs. Jones is likely to 


need, or want, in Aisle 3 of the super- 
market on Tuesday afternoon. So with 
the smart cart, we can actually say 
something intelligent to Mrs. Jones, 
like reminding her about what she 
would buy in her normal buying cycle 
in a particular location of the super- 
market, because shoppers typically 
forget to buy between 10% and 12% of 
what they should be buying. 

And that’s real money to the bottom 


line of a supermarket, and that’s conve- | 


nience for Mrs. Jones. This is what we 
call experiential technologies, or expe- 
rience technologies — technologies 
that enable us to act right there where 
Mrs. Jones needs that action, right 
there in Aisle 3. 


Can you take that idea a little further? 

If we take this a little bit further into 
the future, we can imagine that a lot of 
clothing that we buy is going to have 
RFID tags. You can zap these tags out 
of existence at [the checkout] counter, 
but if you keep them activated, then 
you can access some interesting ser- 
vices through what we call an Online 
Wardrobe, which uses sensors, tagging 
and tracking technologies. 

With the Online Wardrobe, con- 
sumers can selectively reveal the con- 
tents of their wardrobe to their favorite 
merchants. In return, they receive per- 
sonalized offerings and timely re- 
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minders about products of interest. 
And since the wardrobe is in the con- 
sumers’ homes, businesses can more 
easily deliver products and services to 
where their customers live, rather than 
having to lure them to their stores or 
Web sites to make a sale. 

Say, for example, you buy a jacket 
and you take it home, and your closet 
reads the tag and knows you bought a 
new jacket, and it can suggest what 
goes with it that you could purchase 
from an online store. The Online 
Wardrobe brings services to the point 
of need — you can buy clothing 
through a connected closet. 


How will camera phones enhance the 
relationship between businesses and 
customers? Today, people use phones 
to tell something to businesses, but 
with the proliferation of camera 
phones, people want to show some- 
thing to businesses. Say I see a chair 

I like. I can take a photo of it and send 
it to a furniture store and ask if they 
have a chair like that. 

Technically, people can take snap- 
shots today, and they can e-mail 
snapshots today, but if customers 
want to do this, businesses have to 
create media-enabled call centers with 
the technology to handle that kind of 
incoming media in a scalable fashion. 
This will take some time — remember, 
it took many, many years to move from 
simple telephone service to call cen- 
ters. I think it will move much faster 
than that, but I think it will take some 
time because it requires a change in 
the way businesses think about their 


customers. @ 54120 


The Online Wardrobe uses sensors, tagging and tracking technologies to keep track of the cloth- 
ing you already own and helps you buy coordinating items, either online or in physical stores. 








br your software provider? 





When your software provider is acquired twice in two years, it makes you wonder 
who is in control. If you're a JD Edwards customer, that’s probably how you feel. 
For your business decisions you need an innovative partner who is committed to 


the future of your business and puts you in control. 


It’s time to turn to Lawson for full service ERP-software that will be there when you 


need. it. For more information call 1-800-477-1357 or visit www.lawson.com/control. 


Ss 
LAWSON 


It’s Time: 
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Compuware Ships 
Governance System 


= Compuware Corp. has begun 
shipping Changepoint 10, an inte- 
grated IT governance and IT man- 
agement system. The software is 
designed to provide enhanced 
visibility across applications, IT 
infrastructure systems and proj- 
ect portfolios, according to the 
Detroit-based company. New 
functionality includes the ability 
to identify applications that might 
be affected by systems being de- 
veloped, plus configurable work- 
flow capabilities that enable IT 
managers to identify a project's 
status. Prices for the Windows- 
based product range from $400 
to $2,000 per named user. 


Elemental Upgrades | 


Compliance System 
@ Elemental Security Inc. in San 
Mateo, Calif., announced the lat- 
est version of its Elemental Com- 
pliance System. The new version 
offers increased platform cover- 
age, including agent support for 
Windows 2000 desktops, Win- 
dows 2000 and Windows 2003 
servers, and Red Hat Enterprise 
Linux 3.0. It also has a deeper 
policy library that includes tem- 
plates for Sarbanes-Oxley Act 
compliance and additional Win- 
dows applications, the vendor 
said. New automated remediation 
of host and application configura- 
tion policies, additional reports 
and support for Active Directory 
integration are also included. 
Pricing starts at $100,000. 


Oracle, Zend Agree 
On Integration Link 


® Oracle Corp. and Zend Tech- 
nologies Inc. in Cupertino, Calif., 
announced new integration be- 
tween Oracle’s database and 
Zend’s PHP open-source scripting 
language for developing Web ap- 


plications. The companies plan to | 
deliver a free download in the third 


quarter called Zend Core for Ora- 
cle, which will allow developers 
to deliver PHP applications that 
are tightly integrated with Ora- 
cle’s database. 





Know Your 


ECHNOLOGY PRODUCTS are generally 

implemented either as appliances or as 

software applications. It’s vital for compa- 

nies to understand the differences in cost, 

performance, security, installation, main- 
tenance and support for these two different approach- 
es as they make buying decisions. 


Software vendors typi- 
cally offer customers only 
the products they sell. Each 
product is often just a 
small piece of the larger 
puzzle of implementing a 
complex technology sys- 
tem. The customer is left 
with the burden of supply- 
ing all of the other compo- 
nents, such as hardware, 
databases and storage. 

Each of these components 
can add a significant 
amount to the total cost. 

In contrast, appliance- 
based systems usually 
come as stand-alone, dedicated ma- 
chines that may not require additional 
hardware and software. They may, 
however, have specialized ASICs or 
hardware built in, and they may have 
higher initial costs. And many cus- 
tomers may not want extra hardware 
in their data centers, and they may be 
able to reuse existing servers, databas- 
es and storage. 

Appliance-based products are de- 
signed for only one standard platform, 
whereas software-based systems must 
support hundreds of combinations of 
hardware and software. 

Appliances can be implemented 
based on the knowledge of the under- 
lying hardware. This gives the cus- 
tomer tremendous leverage in the per- 
formance optimization process. Appli- 
ance vendors typically provide only a 
few choices of hardware platforms, but 
if it gives the customer the ability to 
acquire high-performance hardware, 
sometimes it is a better way to go. 

The life expectancy of a default in- 


And the burden of securing these 


| phase of the project. Appliance-based 
| technologies are designed to spare 
users the pain of selecting hardware, 





| al system administration tasks. 


| hand, require a complex installation 
| process that includes these steps: ob- 


JIAN ZHEN 


stallation of Linux — 
meaning the time it takes 
for the host to be compro- 
mised — is approximately 
three days. For default in- 
stallations of Windows op- 
erating systems, it’s much 
shorter, usually minutes. 
For this reason, appli- 
ance vendors usually take 
special precautions to 
equip their products with 
minimum configurations 
that feature only essential 
tools and utilities. They 
may also harden the oper- 
ating system to allow only 
authorized access. 
In contrast, software is generally in- 
stalled on the customer’s own servers. 


servers falls on the customer. Software 
may be an option for organizations 
that have standardized security hard- 
ening policies and whose employees 
have security expertise. For other en- 
vironments, an already hardened ap- 
pliance might be the better choice. 

In a complex technology acquisi- 
tion, the installation and configuration 
is often the most time-consuming 


installing an operating system, keeping 
patches up to date and handling gener- 


Software products, on the other 
tain and qualify the server; ensure that | 


the server’s operating system is updat- | 
ed to the revision level supported by 
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the product; update the server with se- 
curity patches; load the software on 
databases, the Web server and the ap- 
plication server; and configure the ap- 
plications to work with the database 
and back-end systems. This can take 
weeks, if not months, to complete. 

However, the road to implementa- 
tion of an appliance can also be ex- 
tremely long if the product comes 
with a nonstandard operating system 
or software that corporate security 
policies do not allow. 

With a minimum operating system 
installation, appliances are usually not 
threatened by security vulnerabilities. 
The appliance vendors also pick up 
the responsibilities of monitoring and 
identifying required patches. 

In the case of software purchases, 
the customers provide the servers and 
must monitor and identify any patches 
that may affect their environments. 
However, many customers are already 
doing that to support the rest of their 
IT infrastructures. 

Appliances are integrated hardware 


| and software systems designed to 


work together. And appliance vendors 
are responsible for supporting every- 

thing, including the hardware, operat- 
ing system and application, providing 
a single point of contact when a ques- 
tion or problem arises. 

With software, the customer is left 
with the burden of determining 
which hardware component, operating 
system or application is at fault when 
a problem arises. This means the cus- 
tomer, not the vendor, must manage 
the problem, which may increase the 


time it takes to repair things. 


In any product selection process, 
you must explore your choices in light 
of your current resources and your 
corporate security policy. Those steps 
will lead to a much more informed and 


| thorough analysis of the real cost of 


buying a technology product. @ 54476 


WANT OUR OPINION? 


For more columns and links to our archives, go to 
www.computerworld.com/opinions 
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get the power of dual-core processing Ee 


from the all-new Dell Precision 380 
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PREMIER 100 SPOTLIGHT 

Raise the Bar 

Good vendor relationships — and 
superior service — don’t happen by 
accident. Here’s how our Premier 
100 leaders get their IT vendors to 


notch up their performance. Page 42 


. 
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Groom 


Generation 
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| Career Watch 

Sherry Aaholm of FedEx 

: answers readers’ questions 

about jobs and careers; and 
a new book explains how to 
hang on to your company’s 

“deep smarts.” Page 48 


NTIL RECENTLY, many CIOs hadn't giv- 
en much thought to succession plan- 
ning, thanks largely to a weak economy 
and low staff turnover. 

“People were lulled into a sense of 
complacency over the last five years, as 
there hadn’t been much job movement,” 
says Bill Homa, CIO at Hannaford 

Brothers Co., a Scarborough, Maine-based grocer. 

But that’s starting to change. The economy is gain- 
ing strength, and turnover is edging up. More impor- 
tant, many CIOs are recognizing that they need to 
actively develop the next generation of IT managers 
and technical leaders as thousands of experienced 
baby boomer IT professionals near retirement age 
and U.S. colleges and universities churn out fewer 
computer science graduates. 

“Ten years from now, we're going to be facing a big 
gap” in supply and demand for IT management and 
technical skills, says Maria Schafer, an analyst at 
Gartner Inc. 


| 


| 
| 
| 
| 
| 
| 
| 
| 





05.23.05 


ee 


OPINION 


Chain of Command: 

IT and the CEO 

It’s critical for the CIO to report to 
the CEO, says former Ace Hardware 
CIO Paul Ingevaldson. Here are 


eight reasons why. Page 50 


Senior management at most U.S. companies has 
done a poor job of succession planning — not only 


| within the IT ranks but throughout most corporate de- 


partments such as finance, customer service and hu- 
man resources, says Schafer. “We just don’t think in 
long-term horizons in the U.S. as they do in Japan and 
Germany,” she adds. 

Still, some forward-thinking companies, like Gener- 
al Electric Co., have had succession management pro- 
grams for years. “We place succession planning as an 
integral part of our leadership development process,” 
says Chris Perretta, vice president and CIO at GE 
Commercial Finance in Stamford, Conn. 

Under a formal review process that’s done for all 
GE employees each spring, managers conduct an ex- 


| ercise known internally as “Succession C,” in which a 


rigorous, written succession 
plan is put together for each 
worker, says Perretta. 
GE Commercial Finance 
has a succession plan for 
each of its 1,200 IT workers, 
he adds. At the CIO level, Per- 
retta and other executives are 
Continued on page 41 


Smart IT leaders take succession planning seriously. By Thomas Hoffman 
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Continued from page 39 
constantly assessing IT directors and other potential 
candidates for attributes such as curiosity, business fo 
cus and high energy levels. To help develop its next 
set of IT and other corporate leaders, GE developed 
a short-term international rotation program more 
than 10 years ago to move workers among various ge 
ographic locations in order to give them “tangible in- 
ternational] experience,” says Hank Zupnick, ClO at 
GE Commercial Finance Real Estate, a division of GI 
Commercial Finance, also in Stamford 
Detroit-based DTE Energy Co. launched a corpo 
rate succession-planning effort three years ago. The 
program was started following an executive reposi- 
tioning in the wake of DTE’s merger with MCN Ener 
gy Group Inc. and an early-retirement program that 
was more popular than expected, says Lynne Ellyn, 
senior vice president and CIO at the diversified 
energy company. As part of the effort within DTF En 
ergy’s 800-person !T department. Eliyn and other e> 
ecutives regularly review positions that ar¢ 
the ongoing operations of the business, ensuring that 


‘ritica! to 


_ MANAGEMENT 


there’s a “farm club” of talented IT professionals to 
fill critical positions as needed, she says 
Ellyn also has “a very detailed succession plan” for 


her own role. SI as identified several IT directors 


as candidates to replace her — a list that has been re 


viewed by DTE Energy’s executive committee “so 


that it’s well known,” she adds 


Real-World Testing 


Dan Demeter, Korn/Ferry International’s CIO. looks 
for ways to try out his succession scenarios. “When |] 
different people in charg 


20 ON vacation, | Says 


Demeter, who manages a 60-person IT staff at the 
Los Angeles-based executive placement firm 

At other times, Demeter distributes his responsibili- 
ties among various JT directors and grants executive au 
thority to one person. All this helps ensure that his man 
agement team wil! be ready to step in when needed 

For some IT 
within the IT 


exercise 


managers, succession management 
ganization isn’t strictly a hierarchical 
when Marriott International 


Inc. considers candidates for an opening within its 


For instance 


SIE RRs cl U Pele Ress 0) 


Gwen Walsh, a senior consultant at Ouellette & Associates Consulting Inc., offers these succession-planning tips: 


Don limit your thinking te formal leadership positions; 
intormal leaders may be critical to your business. 
Don’ 


Don't neglect to share the progression paths and let 
each person in your organization know where 
he fits into the big picture. 


Don 


limit your analysis to fit the profile of 
the person currently holding the position. 


hesitate to grow your current leaders 
to optimize today's contributions and results 


overlook a diamond in the rough. 


Det carers 


keep ali of the information in your head; 
document it. 


aaa 


Dunit Sazsasese™ 


Don't snc siow ic gow sal and ode. 
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1,200-person information resources departmet 
look across the organization, not 
and up,” says George Hall, senior vice 


human resources for the IT grour 


Md.-based hote) operator. By 
through the organization fon 
you may be limiting your 
be the most effective person t 
Because some technicians wat 
ship roles within their dom 
come managers, Marriott has put togeth 
ship track and a technology 
tion. People in the technology tr cal 


number of roles that lead up to the vice president 


2TOW 


ievei in terms of compensation, says Hall 
Like GI 
ments for 


Marriott also offers rotationa assig! 


IT and business workers alike. For exan 


ple, one of its senior IT managers recently moved 


into a corporate HR role while a member of the fi 


nance department transferred to the lepartment 


to work on financial applications, Hal! says 

In addition te rotating TT and business personnel 
Hannaford Brothers’ Homa says he likes to place 
people in roles “outside theu comtort 7 s’ to help 
them grow professionally 

For instance, the person who had been overseeing the 
grocer’s Windows N7 operating system group wanted 
(oO develop more Managerial experience. S¢ Homa re 


the company’s IT suf 


cently placed him 1n charge ot 
port center. where he’l! be managing more personne 
Homa 


and responding “to a lot more problems” says 


Truman Medica! Centers Inc. recentiv launched < 
ieadership pipeline program to identify people wh« 
are ready to Move into roles with greater responsibil- 
ities. In addition to handling thei usuai work. the 1) 
people who were selected have each been paired with 
an executive mentor and have been asked to oversee 
a strategic project that was hand-picked tor them by 
the company’s CEO, says CIO Bill McQuiston 

The Kansas City, Mo.-based health care provider 
has also establishea leadership programs to identify 
“raw talent” in the orgamization and to heip existing 
leaders address deficits in skills such as 
tion or presentation that mighi keep them from 


communics 


cracking the executive ranks, says McQuiston 


Harder Than It Looks 


As essential as IT succession planning 3s, it’s als¢ 
fraught with challenges. The first concerns the de 
mands of technology itself For example, DT Energy 
needs IT workers who have a deep understanding of a 
particular technology, says Ellyn. Bui thai focus can 
leave someone “inadequately equipped to move hori 
zontally or in other areas” where interpersonal, bus) 
ness and other soft skills are needed, she says 

Another challenge is retaining people who have 
been groomed to move ahead As companies invest 
in training and developing IT workers, they re als¢ 
making them more marketable. One of the biggest 
challenges that Marriott faces is low turnover at the 
senior management level, which can hinder emerg 
ing leaders from moving up quickly, says Hall 

COs also have to gain a better understanding of 
what makes younger IT workers tick. In the past 
“when people died off or moved on, you advanced,’ 
says McQuiston. Now, he says, “people are looking 
for a better road map” for their careers. @ 54219 
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(\f\ lentips to 
PREMIER . . 
ee. help YOu 


Esporucut]) ect the best 
performance 

from your I'T vendors. 

By Marvy Brande! 


C 


ANAGING tech- 
nology vendors 
used to be an 
invisible job 
that somehow 
just got done. 
But with more- 
complex IT offerings, increasingly 
complicated negotiations and the bud- 
getary imperative to get the best deal, 
companies are formalizing the vendor 
management function with standard 
processes, centralized administration 
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and firm opinions as to what does and 
doesn’t work. 

The change can be seen among 
Computerworld’s Premier 100 IT Lead- 
ers, some of whom agreed to share 
best practices. Here are their tips on 
managing your hardware, software and 
services vendors. 


Remove IT from the 
contract business. 
“The last thing you want is 
IT negotiating with ven- 
dors,” says David Rice, CIO 
at Siemens Medical Solu- 
tions Inc. in Malvern, Pa. “It 
can get very confusing and make nego- 
tiations unwieldy.” 
Take the contract negotiation proc 
ess away from IT and leave it to the ex- 
perts. The rewards: efficiency, pur- 


chasing power and increasingly experi- | 


enced negotiators. 

Many companies have established 
vendor management offices (VMO) to 
handle vendor relationship manage- 
ment, negotiations and contract cost 
containment [QuickLink 52017]. When 
you've got a VMO, IT has to learn to 
butt out. 

“When we're working on a deal, we 
communicate within the organization 
that only certain people should be dis- 
cussing it with the vendor,” says Rick 
Omartian, IT chief financial officer at 
The Guardian Life Insurance Company 
of America in New York, which has es- 
tablished a VMO. E-mail reminders warn 
IT workers not to talk with any sales- 
person, lest an innocent remark reveal 
pricing details on competitive contracts 
or internal deadlines and pressures. 

But not all success- 
ful vendor manage- 
ment happens through 
a VMO. At Regions Fi- 
nancial Corp. in Birm- 
ingham, Ala., each 
vendor relationship is 
managed by the IT 
manager who most of- 

ten uses that vendor’s products or ser- 
vices. The procurement group heads 
up negotiations, however, while the le- 
gal department handles the contracting 
process, according to CIO John Dick. 


Aggregate 
purchasing power. 
Centralizing contract ne- 
gotiations can also help 
aggregate technology 
purchases and leverage 
your purchasing power, 
says Dick. Regions Financial strives to 
be among its vendors’ top 10 customers 
in terms of sales volume, in hopes of 


UY 
aU hay 


www.well.com/user/benchmar 


www.benchmarkportal.com 


www.pweservices.com/ 
saratoga-institute 


Www.asq.org 


maximizing the business relationship 

and getting deeper discounts. “It’s real 
important to position your purchasing 
power at the sweet spot of the vendor,” 


| Dick says. 


Being a key customer has other po- 


| tential rewards, including reciprocal 
business, he adds. For example, Re- 


| gions Financial encourages its top 
: 
| technology providers to purchase its 





banking services. 


Don’t get cozy. 

No matter how strong the 
relationship is between 
your company and your 
vendor, always keep an 
eye out for other deals. 

A case in point: Until 
recently, Guardian was using a single 
vendor for its telecommunications ser- 
vices. Then it conducted a full-blown 
request for proposals and ended up 
choosing two other vendors that now 
compete for its business, resulting in a 
35% cost reduction, Omartian says. 
Now, “all vendors have to win our 
business on every deal,” he says. 

Guardian ensures that no relationship 
gets too cozy. “When we spend a certain 
amount of money with one particular 
vendor, we need to substantiate why we 
went with that one versus another,” says 
Shelley McIntyre, vice president of busi- 
ness technology services. 

Finding a better deal doesn’t always 


| mean changing vendors. Sometimes it 


just means lighting a 
fire under a partner. 
At MasterCard Inter- 
national Inc., Jim Hull, 
vice president of engi- 
neering services, 
checked out competi- 
tive offerings and 
found that one of his 
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current telecom vendors had over- 
| priced a bid by 100%. “We went back 
to our partner and said, “You're in dan- 
| ger of losing this business,’ ” he says. 
| “And guess what? They matched” a 
competitor’s bid. 

Now MasterCard takes pains to keep 
everybody honest. For example, one 
vendor had previously dominated its 
storage business, but MasterCard re- 
cently added a second vendor to the 
mix. “Even though you have a great re- 
lationship and they have a great prod- 

| uct, how do you know you're getting a 
good deal?” Hull asks. 


Benchmark 
the industry. 
Industry benchmarking 
is an important tool for 
getting a fair deal. Con 
tracts should always 
have benchmarking 
clauses to ensure that the service and 
pricing you receive stays competitive; 
this is particularly important in long- 
term service contracts, says Frank En- 
| fanto, vice president of health care ser- 
| vices systems delivery at Blue Cross 
and Blue Shield of Massachusetts Inc. 
in Boston. “Ten years ago, things were 
more costly on a per-unit basis than 
now,” he explains. The benchmarking 
clause should specify the review proc- 
ess and who needs to be involved. 
You can also get pricing trend infor- 
mation from vendors that solicit you 
for business. “We get an idea of what 
their pricing is and renegotiate rates 
[with current suppliers] if we see a 
downward trend,” McIntyre says. 


Don’tbeatup | 

the vendor on price. 
There's a caveat to all this 
talk about price. Some- 
times, getting the lowest 
price is a harbinger of poor 
quality. Shoot for a mutu- 


| ally good deal. “This idea that I’m going | 


to squeeze the vendor to get every cent 
| — that’s not good business,” Rice says. 
| “If it’s too sweet a deal on either side, it 

comes back to bite you later.” The rela- 
| tionship can turn adversarial, the sup- 
plier may become less responsive to is- 
sues you raise, and quality can suffer. 


| Evaluate, evaluate, 

evaluate. 
Evaluate vendor perfor- 
mance using standard- 
ized procedures on a 
weekly, monthly, semi- 

| annual or annual basis, 


depending on the type of relationship. 
Guardian, for instance, uses 12 cate- 


_ COMPUTERWORLD May 23, 2005 43 


Worst 


Practices 


IT vendor relationships are 
challenging in general, but re- 
lationships with outsourcers 
are the most challenging of all. 

According to a white paper 
by Technology & Business In- 
tegrators, a consulting firm in 
Ramsey, N.J., there are some 
very wrong things to do when 
considering outsourcing IT 
functions. Here are TBI’s out- 
sourcing no-nos. 


= Don’t rely on a handshake or 
ignore your due diligence. 


« Don’t second-guess the deci- 
sion to outsource. That will un- 
dermine working relationships. 


« Don’t rely on a vendor for 
business advice, strategic ad- 
vice or thought leadership in 
emerging technologies, unless 
that’s specifically the service 
it is contracted to provide. 


Don’t assume that saving mon- 
ey will be the overriding benefit. 


Don’t be complacent if you 
notice significant personnel 
change at the vendor. 


Don’t outsource a problem. 
That will just make it an exter- 
nally sourced problem. 


gories to rate its hardware and soft- 
ware vendors semiannually, including 
presales, postsales, cost-effectiveness, 


| technology leadership, financial 
| strength, cost savings and flexibility. 


Siemens meets with outsourcers 


| weekly to review call volumes, mean 
response time and other metrics. “You 


have to bird-dog it,” Rice says. 
Evaluation metrics allow you to catch 


| problems early and be open with the 


vendor about resolving them. “I’ve seen 
people rant and rave about poor service 
and then not follow through,” Dick says. 


| “Vendors need to understand your will- 
| ingness to escalate to the highest levels 
| in the company and do it rapidly.” 


Continued on page 45 





Dillard’s department stores found a real bargain. 
Xerox assessed and streamlined their company-wide work 
processes and printing needs, saving them $1.6 million. 
There’s a new way to look at it. 


XEROX. 





xerox.com/learn 1-800-ASK-XEROX ext. LEARN | Technology | Document Management | Consulting Services | 


© 2005 XEROX CORPORATION. All rights reserved. XEROX? DocuShare* DocumentCentre® and There's a new way to look at it* are trademarks of XEROX CORPORATION in the United States and/or other countne: 
Dillard's ts a registered rk of Dillard’s Inc 
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Continued from page 43 


Apply peer pressure. 
Regions Financial some- 
times uses peer pressure 
to resolve vendor service 
issues. For example, it had 
a problem with its older 
ATMs, which were 
achieving only a 95% availability rate 
compared with a 98% industry aver- 
age. The ATM vendor suggested that 
Regions purchase all new ATMs — a 
multimillion-dollar investment. In- 
stead, after a week of exceptionally 
long outages, Dick began monthly 
meetings with all of the ATM service 
and equipment providers, as well as 
the internal IT people. Everyone was 
required to detail problems, resolu- 
tions, costs and avoidance measures. 
“There were 40 people in the room, 
and we used peer pressure to make 
them accountable for their perfor- 
mance,” Dick says. 

The result: “We went from several 
hundred extended outages to less than 
15 a month,” he says. The company’s 
1,400 ATMs now have an availability 
rate of 98.6%. 

When MasterCard recently encoun- 
tered a problem restoring backup data, 
it called in its hardware, software, net- 
work and storage vendors. It turned out 
that the tape vendor had mistakenly 
sold faulty drives to MasterCard. “Until 
it proved it could fix the problem, we 
told them we wouldn’t buy any more 
tape drives from them,” Hull says. Not 
only did the vendor fix the problem, 
but today it’s much more focused on 
meeting MasterCard’s needs, he says. 


Focus on security. 
When Guardian created 
its VMO, it set up stan- 
dard processes for its 
contracts, ensuring that 
terms were consistent 
across all relationships. 
When creating the contracts, the com- 
pany decided to also nail down its se- 
curity requirements. It created stricter 
intellectual property terms, for exam- 
ple, and required that contractors un- 
dergo background checks and that 
contracting firms carry a certain level 
of insurance. “If fraud is committed by 
one of their employees, we want to 
know they have insurance to cover 
that,” Omartian explains. 


A VENDOR MANAGEMENT PRIMER 


To learn more about managing vendors, visit our Web 
site and read our special report on the topic: 


e QuickLink 52405 
www.computerworld.com 








Develop a list of 
preferred vendors. 
Regions Financial main- 
tains a strategic vendor 
management program 
for the dozen or so of its 
suppliers that it deems 
most important. The criteria for that 
designation include how much money 
Regions spends on the vendor’s tech- 
nology, the strategic nature of the 
products or services, and the common- 
ality of the companies’ technology vi- 
sions, according to 
Dick. Regions devel- 
ops special relation- 
ships with these ven- 
dors and expects high- 
er delivery standards, 
shared technology in- 
vestments and recip- 
rocal business. 
Remember, not every vendor can be 
— or should be — strategic. You need 
to differentiate, Enfanto says. “You need 


to understand what type of relationship | 


you want — strategic or just tactical,” 
he explains. “In a true partnership, 
there’s a lot of compromise on both 
sides. You might give up something on 
price but then get [more in] services.” 
In a strategic relationship, he says, the 
vendor “is really concentrating on you. 
Your problems are their problems; 
your successes are their successes.” 


Use preterms. 
The last place 
you want to get 
bogged down in 
vendor manage- 
ment is during 
contract review. 
“Once we make the decision to go with 
a certain vendor, we don’t want to find 
out there’s a major [contract] term that 
they won’t agree to,” Omartian says. 
Guardian uses preterm documents, 
which outline contract terms in business 
lingo rather than in legalese, and gives 
them to the handful of vendors that 
make the final cut during negotiations. 
The preterm phase 
has already proved 
useful. “There was 
one time that we'd 
narrowed it down to 
three finalists, and we 
couldn’t get an 
agreement from one 
on the preterm,” 
McIntyre says, “so we actually 
switched out a vendor.” @ 54221 


Brandel is a contributing writer in Grand 
Rapids, Mich. You can contact her at 
mary.brandel@comcast.net. 








Dillard’s department stores hire over 10,000 people a 
year. Storing and retrieving application, training and 
benefits packets had become costly. So Dillard’s bought 
into something smart: a Xerox Office Document 
Assessment (ODA). 

Xerox examined their work process across all 
14 Dillard’s business units and recommended key 
improvements. 

First, all analog copiers, stand-alone printers 
and fax machines were replaced by Xerox 
DocumentCentre® multifunction systems. Then Xerox 
DocuShare’ was installed on Dillard’s network. 

This cross-platform document management system, 
along with Xerox imaging software, digitized key 
business processes. 

Now, instead of storing and distributing hard copy 
documents with each new hire, store managers go 
online for hiring packets and print forms on the spot. 
No paper inventory. No outdated information. $1.6 
million saved. To see what you can save, call us or visit 


our website. 


xerox.com/learn 
1-800-ASK-XEROX ext. LEARN 


XEROX 





ThinkPad recommends Microsoft® Windows® XP Professional. 


LOSE THE WIRES. 
AND, WHILE YOU'RE AT IT, 


LOSE THE HACKERS. 


Availability: All offers subject to availability. Lenovo reserves the right to alter product offerings and specifications at any time, without notice. Lenovo is not responsible for photographic or typographic errors. *Pricing: Prices do not include tax or shipping and are subject to change without notice. Reseller 
prices may vary. Warranty: For a copy of applicable product warranties, write to: Warranty Information, P.0. Box 12195, RTP, NC 27709, Attn: Dept JDJA/B203. Lenovo makes no representation or warranty regarding third party products or services. Footnotes: (1) Mobile Processors: Power management reduces 
processor speed when in battery mode. (2) Wireless: based on IEEE 802.114, 802.11b and 802.11 respectively. An adapter with 11a/b, 11b/g or 11a/b/g can communicate on either/any of these listed formats respectively; the actual connection will be based on the access point to which it connects. 
(3) Included software: may differ from its retail version (if available), and may not include user manuals or ail program functionality. License agreements may apply. (4) Memory: For PCs without a separate video card, memory supports both system and video. Accessible system memory is up to 64MB less 
than the amount stated, depending on video mode. (5) Hard drive: GB = billion bytes. Accessible capacity is less; up to 4GB is service partition. (7) Thinness: may vary at certain points on the system. (8) Travel Weight: includes battery and optional travel bezel instead of standard optical drive in Ultrabay 
bay, if applicable; weight may vary due to vendor components, manufacturing process and options. (9) Internet access required; not included. (10) Embedded Security Subsystem: requires software download. (11) Limited warranty: Support unrelated to a warranty issue may be subject to additional charges. 





MOBILE 
TECHNOLOGY 


ThinkPad 742 with Integrate 


ThinkPad R5 
Fingerprint Reader 


SYSTEM FEATURES 


THINK EXPRESS MODEL 
THINK EXPRESS MODEL 


$4 * 
= *1479 


ThinkPad Wome 


2ather Tote 


30 


ThinkPad Cz 
Leather Attache Lez 
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*130 


ThinkPad. 


Contact your authorized reseller. 
To find one near you, or to buy direct, go to thinkpad.com/security/m586. Or call 1 866-426-0006. 
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ThinkPad is a product of Lenovo 
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to a warranty issu 


(12) Systems with limited onsite service: are designed to be repaired during the applicable warranty period 

r (b) the part is one of the few designated by Le r onsite replacement. For a list of onsite replaceable p ntact Lenovo. $ 
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Q&A 


Aaholm is this month’s guest 
Premier 100 IT Leader, an- 
swering questions about 
landing a job in IT and mak- 
ing the right career move. If 
NUTR rome Me ect (etme) mea 
of our Premier 100 IT Lead- 
Cem tR 1a) 


FedEx 
Services, 
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ve and 
watch for this column each 
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What options does an unemployed 
mainframe programmer/analyst 
with 30 years’ experience have to 
regain employment, when out- 
sourcing for mainframe, midrange 
and client/server is at an all-time 
high? You have two areas to explore. 
First, there are several large compa- 
nies that do significant amounts of de- 
velopment work within their own IT 
organizations and utilize offshore part- 
ners to help supplement development, 
and there are large companies that do 
all of their development work in-house. 


Only in the past tew years have com- 
panies once again started hiring IT re- 
sources instead of holding head count 
static. Researching those companies 
that pursue this strategy might offer 
employment options. 

The second and potentially more 
advantageous way to approach this is 
to take your 30 years of experience 
and outline how you could use it to 
assist those companies that use off- 
shore partners. One of the challenges 
companies face when using offshore 
partners is having solid processes in 
place to manage the relationship and 
make it a win for both the company 
and the partner. So leveraging your 
30 years to support this is an avenue 
to consider. 


I have 10 years of experience in 
IT, with a master’s degree in com- 
puter science, an executive MBA 
from a top school and certifica- 
tions such as PMP, CISA and 
CISM. | am currently working as a 
project manager. Can you offer a 
suggestion regarding a next step 
in my career where | can leverage 
all of the above? Focus on how you 
can apply these skills to business 
analysis. Make the link between busi- 
ness and IT, help put technology in lay- 
man’s terms and define how it can 
help drive business goals. Focus on 
how to leverage what you have learned 
in the past 10 years and how that ap- 
plies to the industry you are targeting. 
Use that to your advantage to create a 
laser focus on the job you want. People 
who have the skills to bridge technol- 
ogy and business aren't necessarily 
common, and they add significant val- 
ue toa company. @ 53927 
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Hanging On to Your 
ttn be BT re oe 


tain yas chansli s'ths 4. smarts so that knowledge can continue 
deep smarts to be competitive? ; to benefit the organization after its origi- 
In their new book, Deep Smarts: Howto 4 1 al possessor has moved on. 
Cultivate and Transfer Enduring Busi- i Leonard and Swap say that deep 
ness Wisdom (Harvard Business School ! smarts can be transferred from one 
Press, 2005), Dorothy Leonard and | management generation to another, but 
Walter Swap argue that the most suc- only with a concerted effort. Organiza- 
cessful corporations rely on people who | ‘tions must select employees with deep 
possess a knowledge that is drawn from irtirivimet ee yarns reread 
“firsthand life experiences” and “shaped | deal of their time to coaching protégés. 
by beliefs and social forces” based pri- {They use a learning process that the au- 
marily on know-how and “know-who.” 

As the book's title suggests, the authors’ 

main concern is helping organizations 

find ways to cultivate and transfer deep 


Barriers in the Workforce 


In a first-quarter survey of 168 human resource executives and users of “enter- 
prise talent management” systems, Boston-based Aberdeen Group /iic. ‘dentified the 
following as the top concerns and challenges that companies face in creating a high- 
performing workforce: 


Internal workforce career development, 
succession planning and mobility 





Insufficient talent in market 








Inconsistency in hiring practices 





Inefficiencies in the hiring process 





Inability to compete for top talent 


Good News, Bad News About Ci0s 


In a survey of 496 
senior executives 
around the world that 
asked which of various 
“emerging” C-level titles 
will be the most powerful 
this year, ClO came in sec- 
ond, behind chief marketing 
officer. What's most intrigu- 
ing about this may be the 
fact that CIO and CTO were 
included on the list of 
emerging titles. Maybe One 
in another 10 years or so... 


Chief marketing officer 
3 Ty information ites 
: Ra LT) Miia 
Tm CuleiUccele Meat (Hclg 
= ae restructuring officer 
Te co rs 


ce creative officer 
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IT MANAGEMENT 


SUMMIT 


BUSINESS 
INTELLIGENCE 


Looking to better understand enterprise 
analytics? Apply to attend Computerworld’s 
complimentary* half-day IT Management 
Summit: Beyond Business Intelligence. 


Enterprise analytics enable companies to 
make timely fact-based decisions using 
critical information from across the entire 
organization. By fully leveraging data, 
technology, skills and processes, successful 
users of enterprise analytics go beyond 
simply understanding the past, to predicting 
outcomes that improve overall corporate 
performance. 


These summits will feature the latest insights 
of business intelligence industry experts and 
will give you first-hand information on the 
innovations and experiences of companies 
successfully deploying enterprise analytics. 


* Complimentary registration is restricted tc 
qualified IT managers only 


Attend “Beyond 
Business Intelligence” 


Using Enterprise Analytics to Drive Fact-Based Decisions 


A complimentary* morning-long IT Management Summit 
in the following cities: 


June 21, 2005 - 8:15am to Noon - Dallas, Texas 


Renaissance Dallas Hotel - 2222 Stemmons Freeway - Dallas, TX 


June 28, 2005 - 8:15am to Noon : Boston, Massachusetts 


Boston Marriott Newton - 2345 Commonwealth Avenue - Newton, MA 


July 12, 2005 - 8:15am to Noon - Washington, D.C. 


Bethesda North Marriott Hotel - 5701 Marinelli Road - North Bethesda, MD 


July 26, 2005 - 8:15am to Noon - Chicago, Illinois 


The Four Seasons Chicago - 120 East Delaware Street - Chicago, IL 


August 9, 2005 - 8:15am to Noon - New York, New York 


New York Marriott Financial Center - 85 West Street - New York, NY 


September 20, 2005 - 8:15am to Noon - San Francisco, California 
Pan Pacific San Francisco Hotel - 500 Post Street, Union Square - San Francisco, CA 


Agenda Highlights 
: Industry Update from a Senior Computerworld Editor 
+ Industry Analyst Perspectives 
+ Customer Case Studies Showcasing Recognized IT Leaders’ Experiences 
- Panel Discussion on “Best Practices” and Enterprise Applications 
- Peer-to-Peer Networking 


See the agenda and details for each event, and register online at: 


www.itmanagementsummit.com 
Or contact Chris Leger at 888-299-0155 


Exclusively sponsored by 


‘ySdS. intel 
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QUICK HITS 


Outsourcing 


How involved are the lines of 

business (outside of IT) in setting 
your company’s IT services initia- 
tives and deciding which to fund? 


INFRASTRUCTURE 
OUTSOURCING 


37% 


Ree 
Rs 12% 
RRB 24° 


12% 


BUSINESS PROCESS ~ 
OUTSOURCING 


ae 
aa 17 

DERE 19% 
SEE 410 


3% 


OFFSHORE IT SERVICES 


Se 
Be 10% 
BBRRES 2020 
B4% 


@ Not involved 

@ Somewhat involved 
@ More involved 

@ Very involved 

@ Don’t know 


44% 


Which statement best 
describes your interest in. . . 


@ Infrastructure outsourcing 
@ Applications outsourcing 


No current interest 
40% 
32% 


Currently investigating 
24% 
24% 


Currently have a pilot project 
4% 
11% 


Currently engaged 
26% 
28% 


6% 
4% 


Base: 115 IT decision-makers at North American compa- 
nies. (Totals may not equal 100% because of rounding.) 


SOURCE: FORRESTER RESEARCH INC 
AMBRIDGE, MASS., APRIL 2005 
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Chain of Command: 
IT and the CEO 


OR MANY YEARS, IT has been trying to 

make the case that the CIO should report 

directly to the CEO. But surveys show that 

only about 40% of CIOs do so, and the pro- 

portion that report to the CFO is on the rise. 
I contend that this is happening because IT has failed 
to make the case for the importance of the direct re- 
porting relationship. Here are eight reasons why the 
CIO should report to the CEO. 


1. Today, most companies 
strategically differentiate 
themselves from their com- 
petitors through the use of 
IT systems. Since the CEO 
is the company’s chief 
strategist, he must oversee 
and direct IT to ensure that 
it’s involved in the most 
strategic issues on the table. 

2. If IT reports to anyone 
other than the CEO, the 
technology agenda will be 
influenced by the objectives 
of that particular executive. se 
It’s imperative that IT develop ae most 
critical business applications, not the 
ones favored by one senior executive. 

3. Since strategic IT projects can 
have so much of an impact on the fu- 
ture of the company, it’s essential that 
the CEO develop a working knowledge 
of the process of project creation. Lack 
of IT expertise is no excuse to dele- 
gate this. The CEO must immerse him- 
self in this process to be sure that the 
company’s strategy is being properly 
addressed. 

4. Although the CFO’s area of exper- 
tise may appear to be the most com- 
patible with technology, I would argue 
that the CIO and CFO positions are 
polar opposites. 

The CFO, by definition, is a risk- 
averse executive whose major respon- 


sibility is to protect the 
financial well-being of the 
company. His role is to 
question all major expen- 
ditures and assure that the 
proper controls are in 
place to maximize returns 
on investments. In pub- 
licly held companies in 
particular, the CFO’s view- 
point is decidedly short 
term. 
The CIO must be a risk 
taker. Every strategic sys- 
" tem development project 
is shale, since it has never been done 
before in the company and will have a 
long-term impact. It’s extremely diffi- 
cult to predict costs and time frames, 
especially since the user department 
probably doesn’t fully understand 
what it needs. And since most signifi- 
cant system developments span multi- 
ple years, the CIO must be more fu- 
ture-oriented than the CFO. He needs 
a long-term vision of the future bene- 
fits of new development. 

Under a CFO, IT would operate 
more conservatively. Is a conservative 
IT department the weapon your com- 
pany needs to confront the intense 
competitive environment? 

5. The costs of IT continue to rise as 





departments across the company re- 


| quest more from it. Ironically, it’s IT 





that must defend its rising budgets. If 
the CIO doesn’t report to the CEO, the 
CEO won't understand that the IT 
budget is an investment in each de- 
partment within the company. 

6. If IT is indeed the strategic engine 
of the business, all parts of the compa- 
ny must be involved in setting its pri- 
orities. If IT reports to the CEO, all the 
other C-level executives will under- 
stand that. 

7. The annual capital expense for 
IT is often the largest in the company. 
It’s essential that the CEO understand 
how this IT capital compares to re- 
quests from other departments. The 
CIO needs to be on equal footing with 
other C-level executives as they pre- 
sent their requirements to the CEO. 

8. The IT environment is a minefield 
of escalating costs, technological set- 
backs, inflated expectations, shortages 
of time and resources, and pressure to 
gain competitive advantage. These dif- 
ficulties are exacerbated by the limited 


| IT knowledge of most people in the 


business and the fact that the average 
CIO tenure is 18 to 36 months. If a 
company wants to maintain some 
sense of continuity within its IT ranks, 
it’s critical that the CIO be a major 
“cabinet” member and have the ear of 
the CEO. Otherwise, the CIO will al- 
ways be a convenient scapegoat when 
times get tough. 

It’s essential that the CIO report to 
the CEO. One of the most common im- 
pediments to this happening, however, 
is the CIO’s inability to speak the lan- 
guage of business. When we become 
more business-oriented and give up 
geekspeak, the CEO will find our 
meetings worthwhile and will antici- 
pate rather than dread them. @ 54216 
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COMPUTERWORLD 
~~ Learn Proven, Top-Down 


Strategies to Achieve 
Enterprise Mobile and Wireless Success 


MOBILE & June 13-15, 2005 * The Westin Kierland Resort * Scottsdale, Arizona 


WO RLD Featured speakers include: The Leading Conference for: 


Meet award-winning 
mobile and wireless 
solutions 
implementors! 


Awards Ceremony: 
Wednesday, June 15th 


>) COMPUTERWORLD 
)) MOBILE & WIRELESS WoRLD 
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IN MOBILE & WIRELESS | 


Visit www.mwwusa.com/cw 


2005 Awards Program ' 
sponsored by in 


The first 300 IT end-user 
registrants who 
attend will receive 
a Targus bag! 


Aiihs Cac Mobile/Wireless Technology Architects 
= and Implementers 


ANDRES CARVALLO * IT Management 
clo 2 as 


cToO Wireless LAN/Wi-Fi/Network Professionals 


™ PHIROZ DARUKHANAVALA Mobile-intensive Application Implementers 
. British Petroleum 
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ERNEST PARK Building and Defending the Business Case 


3 Air Adapting Desktop Applications to Handhelds 
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Satyam Computer Services, 
Ltd., a global IT co. w/U.S. 
offices in Vienna VA, 
Parsippany, NJ, Santa Clara 
CA, Chicago, IL, & Atlanta, GA 
seeks comp. professionals & IT 
Bus. Dev/Mktng Mgrs. for our IT 
Comp. Proff. position, we're 
seeking Prog/Analysts, Data- 
base Administrators, Network 
Eng., Sys. Analysts, Bus. Sys. 
Analysts, Qual. Eng, Sftwre Eng 
& Proj. Mgrs. These tech. posi- 
tions require a BS degree or 
higher in a related field and/or 
relev. industry exp. For our IT 
Bus. Dev/Mktng. Mgrs. to man- 
age all aspects of sales/bus. 
devp. for many of the co's 
domain industries including 
Banking & Finance, Automotive 
Manufacturing Transport/ 
Logistics, Retail, Insurance, to 
name a few. Exp. in IT Services, 
offshoring, prgrm, mgmnt, indus: 
try domain expertise & six sigma 
processes. Our Business Dev- 
elopment/Marketing Manager 
positions require a master's 
degree in MIS, engineering or 
business administration/market- 
ing & experience in related posi- 
tions such as_ Technical 
Marketing Manager or Sales/IT 
Manager. Candidates w/relev 
BS degree considered, depend- 
ing on exp. levels. All positions 
subject to relocation to various 
offices & client sites throughout 
the US. Qualified applicants 
respond by mail to: Satyam 
Computer Services, Ltd., Attn: 
HR-051505, 8500 Leesburg 
Pike, Suite 201, Vienna, VA 
22182 or by email 
resumeus@satyam.com 

Job Code#051505. 


Technical Director - To provide 
technical leadership and also 
provide direction for company's: 
current assignments and future 
road map. Experienced in suc- 
cessfully managing projects in 
areas like Application and Net- 
work Performance Engg., Cap- 
acity planning and OPNET 
Network and Application, Model- 
ing/Simulation and Business 
Process Reliability Engg. Mas- 
ters Degree w/exp or Bach 
Degree with 5+ years exp in job 
or as Network Engineer re- 
quired. Apply to HRD, INNOVI 
Partners, One Exchange Place. 
Suite 1000, Jersey City, NJ 
07302 


Software Engineer (Applic- 
ations) utilizing CAD/CAM 
in San Jose. Travel w/in US 
is req'd 40% of the time 
Mail to Micronic Laser 
Systems, Inc., 1922 Zanker 
Rd., San Jose, CA 95112 or 


fax (408) 392-2261 


NovaStor Corporation, located 
in Simi Valley, CA, seeks a 
Software Engineer. The position 
requires a Masters Degree in 
Computer Science and knowl- 
edge of Operations Analysis, 
Programming and Technology 
Design. Fax resumes to Anita 
Gorino, HR Manager at 805- 
579-6710 or mail resumes to: 
NovaStor Corporation, 80B 
West Cochran, Simi Valley, CA- 
90365, Attn: Anita Gorino. 


SR. VISUAL BASIC.NET 
CONSULTANT 


Analyze & evaluate existing or 
proposed software sys. Dvip 
impimnt & improve progs, sys. & 
related procedures to process 
data using in-depth knowledge 
of software dvipmnt life cycle 
Encode, test, debug & install 
operating progs & other sys 
software utilizing advanced 
knowledge of Visual Basic.NET 
prog. tools. Bach. degree in 
Comp. Sci., Math, Engnrg or 
Business + 2 yrs exp. in position 
offered or as a Software Engnr, 
Sys. Analyst or Sr Programmer 
reqd. Exp. must include: (a) 
Windows or UNIX operating sys- 
tems, (b) Visual Basic.NET, 
ASP.NET & XML prog. lan 
guages, & (c) Oracle or Sybase 
or SQL Server databases. High 
mobility preferred. 40 hrs/wk 
8am - 5pm. Submit resume via 
fax to: Stacey Testa, Dir., HR at 
UBICS, Inc. in Canonsburg, PA 
at 724-743-4115 and refer to 
Job Code: VBNET. 


IT Manager, NY. Plan, 
direct, or coordinate activi- 
ties in electronic data pro- 
cessing, information sys, 
systems analysis, and 
comp programming. De- 
sign, oversee design de- 
velopment & testing of 
business software applica- 
tions. Mast deg w/exp or 
bach w/5yrs exp in job or 
as team leader reqd. Apply 
HRD, Systec International 
Inc, 350, 5th Avenue, New 
York, NY-10118 


Sr. Software Engineer, per- 
manent position opening at 
Avenir Consulting in Houston 
TX for the analysis, dsgn, 
dvipmt, testing & mainte- 
nance of enterprise applics 
using J2EE Architecture, 
Weblogic, iplanet, Javascript, 
Jrisk & XML/ XSLT. Applicants 
must have MS/BS in Comp 
Sci or Engg w/3-5 yrs. exp 
Mail resume to HR, 830 E 
Higgins Rd., Ste # 111 -H, 
Schaumburg, IL 60173, or 
email to 
careers@avenirsoft.com 


Senior SQA Analyst 
To automate Testing w/ 
TSL+WinRunner in 
NYC. MS+3 or BS + 5 in 
CS or equiv. Send CV to 
Misys IQ LLC at 1180 
6th Ave, 4th Fl NY, NY 
10036 Attn: HR Dept 


Network 
Systems Analyst 


Analyze, design, & test 
network systems for indus- 
trial automatic applications 
& data communications 
systems. Required: BS in 
CS, yrs exp. Send res to 
Neteon Technologies, Inc. 
28 Kennedy Bivd., Suite 
300, East Brunswick, NJ 
08816 Attn: Mr. Hubert Yu. 


Team Lead: Alta Colleges seeks 
applicants for the position of 
Team Lead -PeopleSoft Sys 
tems Administration in Denver 
CO. Oversee, implement and 
coordinate all administration and 
architecture regarding People- 
Soft Student Administration 
CRM and Enterprise Portal 
PeopleSoft Application Suites 
Requirements include master's 
degree or equivalent (bachelor's 
degree plus five years progres- 
sive experience) in computer 
science, computer applications 
or related field and 2 yrs exp as 
a PeopleSoft Administrator. 
Additional requirements include 
working knowledge of database 
server, application server and 
web server tuning and working 
knowledge of establishing and 
implementing PeopleSoft Sys- 
tem Administration policies 
Respond by resume to Michael 
Berrier, Alta Colleges, 2000 S 
Colorado Bivd., #2-800, Denver, 
CO 80129. Refer to Job #1SE 


GOLD'S GYM seeks an exp'd 
Database Analyst to create & 
maintain multiple databases & to 
dsgn & dvip IT Reports using 
Crystal Reports, Crystal Reports 
Appin Srvr, SQL Srvr database 
& related tools 


Responsibilities also include 
Write complex stored proce- 
dures, functions & views in SQL 
Srvr database; Dvip & deploy 
web based reporting capabili 
ties using .NET technologies & 
dynamic HTML; Analyze & dsgn 
data models using Erwin CASE 
tool. Req 5 yrs exp with excel- 
lent debugging & problem solv- 
ing skills & a good understand- 
ing of all phases of Software 
Dvipmnt Life Cycle & RDBMS 
concepts. Apply: HR, GOLD'S 
GYM,2924 Telestar Ct, Falls 
Church, VA . Fax: 703 207 1680) 


Sr. Technical Application 
Packager & Deployment 
Consultant: MSI scripting; 
Software pkg creation; Desktop 
buiids & application deploy- 
ments utilizing Microsoft tech; 
Project accountability; Train 
clients. Reqs. extensive Wise 
Package Studio, MSI pkging, 
Windows NT, 2000 & XP, VB 
Script; Ghost, SMS. BS or equiv. 
+ 5 yrs exp + SMS & MSCE 
Send CV to Matt Ovanes @ 
Signature Consultants, 128 
Tyron St #850 Charlotte, NC 
28202; Fax (781) 937-5933 


Computers: Senior Analyst 
needed: Citicorp Credit Ser- 
vices Inc. (USA) currently 
has an opportunity available 
in the Hagerstown, MD area 
for qualified candidate. Du- 
ties include: Design, code, 
test & deploy software appli- 
cations; Develop business 
requirements based on cli- 
ent input. Traveling beyond 
commuting distance re- 
quired. Send resumes to: 
Attn: HR, 14700 Citicorp 
Drive, Hagerstown, MD 
21742. Reference #104. 


Team Lead: Alta Colleges seeks 
applicants for the position of 
Team Lead - Conversion Team 
in Denver, CO. Make assign- 
ments to team members and 
review and coordinate their 
work. Provide direction and 
technical support to team mem- 
bers. Prepare reports and make 
presentations to company man- 
agement Analyze Legacy 
Systems. Analyze requirements 
of new ERP applications 
Engage in data conversion/ 
migration of Legacy Data to 
ERP systems. Be responsible 
for management of the Metadata 
Repository and Business 
Process Model for converting 
Legacy Data. Write detailed 
design specifications for Data 
Mapping and Transformation 
Logic. Requirements include 2 
yrs exp in the job offered 
Respond by resume to Michael 
Berrier, Alta Colleges, 2000 S 
Colorado Bivd., #2-800, Denver, 
CO 80129. Refer to Job # 1JA 


Software Engineer for Raleigh 
NC based developer of software 
products for the retail industry. 
Requires four (4) years experi- 
ence with object oriented design 
& development of web-based 
retail software applications for 
the grocery and general mer- 
chandise industries including 
conducting software require- 
ment analysis, programming 
enhancements and unit testing 
for IBM Supermarket Application 
(SA), the Application Client/ 
Server Environment (ACE) 
application, and the General 
Sales Application (GSA) point- 
of-sale systems. Send resume 
to H.R. Department, Attn: Peter 
Denhoed, OpenField Solutions. 
5510 Six Forks Rd., Ste. 200, 
Raleigh, NC 27609. 


SOFTWARE 
ENGINEER 


R’sch, dsgn, & d'Ip 
comp. soft. using VB, 
ASP, & SQL. Req'd: 
MS in CS, 3 yrs. exp. 
Resumes: Kaplan, 
Inc. 888 Seventh 
Avenue, NY, NY 
10106. Attn: P. Torres. 


Comp: IT Manager, NY. 
Plan, direct, or coordinate 
activities in electronic data 
processing, information 
sys, systems analysis, & 
comp programming. De- 
sign, oversee design de- 
velopment & testing of 
business s/wapplications. 
Mast deg w/exp or bach 
w/5yrs exp in job or as) 
team leader reqd. Apply 
HRD, Systec International 
Inc, 350, 5th Avenue, New 
York, NY-10118. 
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Continued from page 1 
Sears-CSC 


CSC argued in its motions 
filed with the Court of Ap- 
peals — from which it unsuc- 
cessfully sought an injunction 
to stop Sears’ move to cancel 
the contract for cause — that 
Sears terminated the agree- 
ment “for convenience due to 
change of control” as a result 
of the retailer’s merger with 
Kmart Holding Corp. The 
merger, which formed a new 
parent company called Sears 
Holdings Corp., was an- 
nounced in November and 
completed on March 24. 

If Sears and Kmart had 
completed their merger and 





canceled the contract by 
March 2, the fee for a conve- 
nience termination would 
have been about $58 million, 
El Segundo, Calif.-based CSC 
said. It noted that the fee in- 
creased to $96 million if the 
termination notice came with- 
in 90 days of June 1, the one- 
year anniversary of the con- 
tract signing date. 

According to CSC, during a 
Feb. 18 conference call, Sears’ 
CIO at that time, Gerald Kelly 
Jr., read from a script, asking 
CSC to cap the charges at 
$58 million for a termination 
for convenience initiated prior 
to May 31. “If CSC does not 
choose this path, we will be 
forced to consider declaring a 
material breach under the 


EDS Sues State Over Contract 


ELECTRONIC DATA SYSTEMS 
CORP. last week filed a lawsuit 
against the North Carolina De- 
partment of Health and Human 
Services alleging that the 
agency improperly awarded a 
$171 million IT services contract 


to another vendor in April 2004. 


The agency chose Affiliated 
Computer Services Inc. (ACS) 
over EDS and Unisys Corp. for 
the five-year Medicaid system 
pact. EDS, which had held the 
contract for the past 27 years, 
filed its lawsuit in North Caroli- 
na Superior Court after losing a 
string of administrative appeals. 

In the lawsuit, EDS alleges 
that the Health and Human 
Services Department failed to 
follow its own procedures for 
reviewing and awarding the 
contract. The vendor also 
claims that state CIO George 
Bakolia last month improperly 
rejected a summary judgment 
by an administrative law judge 
who had ruled in favor of EDS 
in the contract dispute. 

In addition, EDS alleges that 
the state made procedural er- 
rors during the review and ap- 
peals processes. It is asking the 
court to reverse the contract 


award to Dallas-based ACS. 

EDS spokesman Travis Ja- 
cobsen said the company is 
challenging the award because 
it could set a precedent in deals 
with other states. The lawsuit 
“holds the state accountable to 
its processes,” he said, adding 
that EDS has won six of six 
similar Medicaid contract re- 
newals in other states over the 
past 15 months. 

Danny Lineberry, a spokes- 
man for North Carolina's Office 
of Information Technology Ser- 
vices, said Bakolia wouldn't 
comment on the matter be- 
cause of the pending litigation. 

A spokeswoman for the De- 
partment of Health and Human 
Services also declined to com- 
ment about the lawsuit. 

ACS spokeswoman Linda 
Graham said officials at the EDS 
rival are confident that it will pre- 
vail in the legal battle. “It was a 
fair procurement, and we have 
been upheld all along,” she said. 

The contract with ACS calls 
for the replacement and contin- 
ued operation of the North Car- 
olina Medicaid Management In- 
formation System. 

- Todd R. Weiss 


agreement,” Kelly was quoted 


| as saying. In its motions, CSC 


said it “refused to submit itself 


| to Sears’ extortion tactics.” 


In documents filed in court 
by Sears, though, the Hoffman 
Estates, Ill.-based retailer said 


| it had notified CSC of 65 indi- 
| vidual breaches of the agree- 


ment since the contract took 


| effect. Sears claimed that 





| CSC’s performance was “a dis- 


mal failure from the start” and 
by September had become “ 


| poor that [CSC] was forced to 
| summon a ‘red team’ from its 


corporate offices to assess its 
deficient performance.” 
According to Sears, CSC 


| graded itself as poor in nearly 


every category of contract 
performance, including ser- 
vice delivery, project planning 
and tracking, and team organi- 
zation and strength. 

Sears said it provided CSC 
with formal written notice on 


| March 18 that the IT services 


| firm had been in material 


breach of the agreement for 


| several months and that it ex- 
| pected CSC to “cure” the 
| breaches within 30 days. 


| Requests Denied 


Meanwhile, CSC claimed that 


| on the same day, prior to re- 


ceiving Sears’ notice, it filed 


| suit in U.S. District Court in 
| Chicago seeking a temporary 
| restraining order and prelimi- 


nary injunction to stop Sears 


| from terminating the contract 
| for cause. It also asked the 





court for a declaratory judg- 
ment that it had not materially 


| breached the contract. 
Without ruling on the merits 


of the case, the district court 


| judge denied CSC’s requests. 


A representative for the dis- 
trict court said last week that 
the records of the case were 


| not available. However, both 
| Sears and CSC said in their ap- 


peals court documents that the 
judge ordered them to begin 
arbitration. CSC requested 
emergency arbitration, but 
that was also denied, accord- 
ing to Sears. 

Sears and CSC declined to 





CSC 


No great leap is 

required to see 

what happened 
here. Sears was willing to pay 
$58 million in fees, but not 
the full $96 million it owed. 
When CSC refused to cap the 
fees and give up the $38 mil- 
lion to which it was contrac- 
tually entitled, Sears crafted 
a plan to save itself all fees. 


— From an emergency motion for 
injunction pending an appeal filed 
with the U.S. Court of Appeals for 
the 7th Circuit in Chicago 


comment on the court cases 
and arbitration proceedings 
last week, as did lawyers for 
both companies. 

John Thomas, a technology 
law partner at Squire, Sanders 
& Dempsey LLP in Tysons 
Corner, Va., said he hasn't 


|} seen many long-term out- 


sourcing deals become as 
“publicly messy” as the CSC- 


| Sears one has. But he noted 

| that the fees for terminating 

| contracts for convenience are 
| typically significant so ven- 


dors can recoup their heavy 


| upfront expenses. 


“The process of gearing up, 


| bringing in people and all the 
| work that goes into the first 
six to 12 months of an out- 

| sourcing relationship is very 


expensive,” 


Thomas said. 
Even so, Akiba Stern, an at- 


| torney at Morgan, Lewis & 





Bockius LLP in New York, said 
it’s likely that CSC and Sears 


| recovery” 


CSC did not pro- 

pose adding addi- 

tional resources or 
making changes in its existing 
plans in order to cure the 
breaches identified by Sears. 
Instead, CSC’s response con- 
sisted of a combination of de- 
nials, evasions and misstate- 
ments of CSC's responsibili- 
ties under the agreement. 
— From a legal memorandum in 
opposition to CSC’s emergency 
motion for injunction 


will settle the case privately, as 


| parties involved in these types 
| of disputes typically do. 


In its SEC filing, CSC said it 
also will “vigorously pursue 
from Sears for the 
investments and commit- 


| ments that the outsourcing 


vendor made in connection 


| with the contract, including its 


spending on software, proper- 


ty and equipment. 


Despite their legal differ- 


| ences, the two companies con- 
| tinue to work together on IT 

| matters. CSC is obligated to 

| provide IT services to Sears for 


an unspecified period follow- 
ing the termination, according 
to the retailer’s SEC filing. 
The contract called for CSC 
to provide IT infrastructure 
support services for Sears’ 
desktops, servers, Web site 
systems, voice and data net- 
works, and decision-support 


| technology. @ 54534 





ational Publication agreet 


3800. CANADIAN POSTMASTER: Please return undeliverable copy to PO Box 1632, Windsc 


Speen Street, Box 9171 
nay be purch 
cents per page 


anatase except a single cc 
Microfilms inc.. 300 N. Zeeb 
tered with the Copyright Clearance Center (C 


s. 01701-9171. Copyright 2004 by Computerworld inc. All rights reserved. Computerwor 
c Won department Photocopy nghts. permission to photocopy tor internal or personal 9 

tly to Copynght Clearance Center. 27 Congress St.. Salem, Mass. 01970. Reprints (minimum 4 pe 
mission to reprint may be purchased trom Renee Smith. Computerworld Reprints, c/o Reprint Management Services, Greenfield C. 1808 Colonial Village Lane. Lancaster, Pa.. 17601. (717) 399-1900, Ext. 172. Fax: (717) 399 B00. Web site 
www. reprintbuyer.com. E-mail: reprints@computerworld.com. Requests for missing issues will be honored only if received within 60 days e. Subscription rates: $5 per copy: U.S. - $99.99 per year: Canada ~ $130 per year: Ce G 
$250 per year: Europe - $295 per year: all other countries - $295 per year. Subscriptions cail toll-free (888) 559-7327. POSTMASTER: Send Form 3579 (Change of Address) to Computerworld, PO Box 3500. Northbrook, li, 6(0065-350 0. 


t availa 


nase fee c inp per copy ¢ article. pl. 


= oman ® 





56 COMPUTERWORLD May 23, 2005 


THE BACK PAGE 


FRANKLY SPEAKING # FRANK HAYES 


e [rust Buster 


RUST. THAT’S THE POINT of the Sarbanes-Oxley Act: 
making sure investors can trust our financial state- 
ments. Of course, for anyone involved in Sarb-Ox 
compliance projects, it feels more like trust has been 
hanged, drawn, quartered, electrocuted, run over by a 
steamroller, then stood up against a wall and shot, just for good mea- 
sure. With Sarb-Ox, it seems as if nobody in corporate America will 
ever be allowed to trust anyone ever again. 
So there may not seem to be much comfort in the Sarb-Ox guide- 
lines issued last week by the SEC [QuickLink 54486]. The agency’s 
staff now says we can trust each other — just a little bit. 


That means not every single piece of finan- 
cial data has to be rigorously controlled at 
every step in its life cycle; corporate manage- 
ment is allowed to use a little discretion. And 
auditors don’t have to be grim, silent inquisi- 
tors; they’re allowed to tell management what’s 
wrong, explain why it’s wrong and even suggest 
ways of fixing problems. 

It’s only a little ray of trust in what’s become 
a very dark Sarb-Ox world. But right now, we 
can use all the hopeful signs we can get. 

If you’re not doing Sarb-Ox work, you're 
probably wondering what the big deal is. Why 
are top management and IT staffers all so bitter 
about it? Sure, it’s a huge project — document- 
ing and testing all the controls on financial in- 
formation and putting controls in place where 
they’re missing. But isn’t that really a lot like 
Y2k was — a huge project that won’t add value 
at most businesses but still has to be done? 

Answer: No. With Y2k, we were saving the 
world. With Sarb-Ox, we’re agents of the inqui- 
sition. Y2k was a heroic sprint for an immov- 
able finish line. More than a year into our Sarb- 
Ox work, it feels like a death march 
that will last forever. 

And for what? Trust. But it seems 
as if for every drip of trust that in- 
vestors will gain, we drain away gal- 
lons. Users can no longer be trust- 
ed. Neither can managers, or even 
our own IT people. Every access to 
data has to be logged, every spread- 
sheet checked, every number 
crunch verified. 

In an uncomplicated, smoothly 
professional world, that would be a 
simple, one-time chore. In the very 
messy real world of business IT, it’s 





immensely complex and never-ending. And it’s 
overlaid by that “trust no one” ethos. We’ve al- 
ways depended on trust to get through crises, 
meltdowns, glitches and ordinary momentary 
stupidity. We’ve trusted one another to reach in 
and fix the problems. 

But now that’s forbidden. No reaching in. No 
out-of-process fixes. No trust. The job of Sarb- 


Ox implementors is to institutionalize paranoia. 


No wonder they’re bitter. 

Worst of all, we know it’s not our fault. IT 
faces the lion’s share of Sarb-Ox “deficiencies” 
because we’re in charge of the data that will 
make up those trustworthy financial state- 
ments. Our “deficient” systems worked fine for 
years. Now, because crooked executives at a 
few companies played fast and loose with their 
numbers, we’re the ones who have to rebuild 
trust we never deserved to lose. 

That’s why those new SEC guidelines truly 
are good news. They’re the first sign that Sarb- 
Ox won't be an ever-expanding spiral of para- 
noia. The focus, the SEC now sensibly says, 
should be on the greatest risks of financial mis- 

statement. It’s time to start replac- 
ing endless inventories and mind- 
less checklists with informed man- 
agement judgment about where 
those risks lie. 

And in IT, we can start to think 
again about the best ways of pro- 
tecting business data integrity — 
controls that are effective, not just 
exhaustive. 

And then maybe we'll begin to 
remember once more that in- 
vestors want to trust not just the 
numbers, but also the people be- 
hind them. @ 54496 
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Remember, No Live Demos! 
Pilot fish's boss is demonstrating the company's new 
e-mail client. “He asked one user what was his most 
important e-mail and then promptly proceeded to 
delete it to show how it could be salvaged,” fish re- 
ports. “In the course of restoring it, he inadvertently re- 
trieved about 300 other deleted messages and, while 
they were in the process of restoring, tried to delete 
them again.” In the end, they're gone - and so is the 
important e-mail. User: “So now you're going to show 
me how to get that e-mail back?” 


Unbooted questing that 


a SHARK she be set up.” 
was pe TANK Allina 
pilot fish Day’s Work 
Sriseeereeta oe 
log-in scriptoneach — = shift getting an e-mail 
anot-very-new virus = stressed-out sysadmin 
infects a PC, fish gets _pllot fish goes to get a 
chewed out in public for = 
letting it happen. It's not : 
until he finally talks to 
the user that he realizes = 
what went wrong. 
“Turns out the user had 
not logged off and on in 
months, so she never got | my boss killed a server 
updates,” fish groans. : and | spent the rest of 
“The IT manager told her the day cleaning up the 
boss, but the boss still : mess.’ Her jaw dropped. 
blamed me for it.” : It took me a couple of 
: seconds to realize what 
Unclear on : Vhad said. | guess she 
The Concept : thought I worked at a 
CIO e-mails all employ- : restaurant.” 
ees to tell them that i 
external Web mail has : Key Issue 
been deemed a security ; After vendor rep makes 
risk, and it’s being : his pitch, he offers to 
blocked - but the change : leave his presentation 
won't affect sending or : with pilot fish on a USB 
receiving messages ; key drive. “Accessing 
through company e-mail. the USE hay tater re- 
“One employee responds : veals several other doc- 
via her company e-mail : uments in the Recycle 
account saying that she : Bin folder on the USB 
didn’t realize we had : key,” fish says, “includ- 
company e-mail and : ing an internal corporate 
wanted to know who she : presentation complain- 
should contact to get her : ing about the lack of cor- 
set up,” sighs a pilot fish porate support for the 
watching it all. “The CIC: solution he was offering 
forwards her e-mail to | us, Who says it pays to 
the network team, re- : recycle?” 
ay FORT voUR Loca SHAR Send mer 
true tale of IT life at sharky@computerworld.com. 
You'll snag a snappy Shark shirt if | use it. And check out the 
uate 
home delivery at computerworld.com/sharky. 
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You have to print. 


Meanwhile your printer is having a breakdown. 


(Isn't it time for a printer you can rely on?) 
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HP Deskjet 6127 Color Printer 
© Print speed: up to 20 ppm black, 13 ppm color 
* Resolution: up to 4800:x 1200 dpi with 
HP PhotoREt III 
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20 ppm color 

¢ Resolution: up to 4800 x 1200 dpi optimized 

* Direct photo printing with PictBridge and 
integrated memory card slots 
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After 20+ years in the business, HP printers and All-in-Ones are the gold-standard for reliability. In fact, PC Magazine 
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just one of the many reasons to trust HP to save you now and for years to come. Get the reliability you need. Get an 


HP printer from CDW. 
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° Print speed: up to 28 ppm black, 24 ppm color. 

¢ Resolution: up to 4800 x 1200 dpi optimized 
with HP PhotoREt II! 
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The Right Technology. Right Away. 
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In Canada, call 800.387.2173 * CDW.ca 


DON'T LET 
SPYWARE 
SABOTAGE YOUR 
ENTERPRISE. 


The next threat is no threat with Trend Micro. 


Expose and eradicate spyware with Trend Micro's Enterprise-class, multi-level, 
anti-spyware solutions. They're the only solutions that block and clean at the gateway — 
the most effective point of control. Trend Micro. #1 global leader at the gateway and 
industry pioneer. Whether it's a virus, worm, spyware, or spam, we've got you covered. 


For a FREE evaluation and IDC whitepaper, 


go to www.trendmicro.com/spyware 





